feat: add explicit priority support (#190)

ffyuanda · web-flow · commit 94450866a6e3 · 2021-09-25T22:27:52.000+08:00
* feat: added explicit priority support

Signed-off-by: ffyuanda &lt;46557895+ffyuanda@users.noreply.github.com&gt;

* feat: updated load_policy to match casbin

Signed-off-by: ffyuanda &lt;shaoxuan.yuan02@gmail.com&gt;
diff --git a/casbin/core_enforcer.py b/casbin/core_enforcer.py
@@ -1,4 +1,4 @@
-import logging
+import logging, copy
 
 from casbin.effect import Effector, get_effector, effect_to_bool
 from casbin.model import Model, FunctionMap
@@ -177,14 +177,36 @@ def init_rm_map(self):
 
     def load_policy(self):
         """reloads the policy from file/database."""
+        need_to_rebuild = False
+        new_model = copy.copy(self.model)
+        new_model.clear_policy()
 
-        self.model.clear_policy()
-        self.adapter.load_policy(self.model)
+        try:
 
-        self.init_rm_map()
-        self.model.print_policy()
-        if self.auto_build_role_links:
-            self.build_role_links()
+            self.adapter.load_policy(new_model)
+
+            new_model.sort_policies_by_priority()
+
+            self.init_rm_map()
+            self.model.print_policy()
+
+            if self.auto_build_role_links:
+
+                need_to_rebuild = True
+                for rm in self.rm_map.values():
+                    rm.clear()
+
+                new_model.build_role_links(self.rm_map)
+                self.build_role_links()
+
+            self.model = new_model
+
+        except Exception as e:
+
+            if self.auto_build_role_links and need_to_rebuild:
+                self.build_role_links()
+
+            raise e
 
     def load_filtered_policy(self, filter):
         """reloads a filtered policy from file/database."""
@@ -194,6 +216,9 @@ def load_filtered_policy(self, filter):
             raise ValueError("filtered policies are not supported by this adapter")
 
         self.adapter.load_filtered_policy(self.model, filter)
+
+        self.model.sort_policies_by_priority()
+
         self.init_rm_map()
         self.model.print_policy()
         if self.auto_build_role_links:
diff --git a/casbin/effect/__init__.py b/casbin/effect/__init__.py
@@ -16,7 +16,7 @@ def get_effector(expr):
         return DenyOverrideEffector()
     elif expr == "some(where (p_eft == allow)) && !some(where (p_eft == deny))":
         return AllowAndDenyEffector()
-    elif expr == "priority(p_eft) || deny":
+    elif expr == "priority(p_eft) || deny" or expr == "subjectPriority(p_eft) || deny":
         return PriorityEffector()
     else:
         raise RuntimeError("unsupported effect")
diff --git a/casbin/model/assertion.py b/casbin/model/assertion.py
@@ -10,6 +10,8 @@ def __init__(self):
         self.tokens = []
         self.policy = []
         self.rm = None
+        self.priority_index: int = -1
+        self.policy_map: dict = {}
 
     def build_role_links(self, rm):
         self.rm = rm
diff --git a/casbin/model/model.py b/casbin/model/model.py
@@ -79,3 +79,22 @@ def print_model(self):
         for k, v in self.items():
             for i, j in v.items():
                 self.logger.info("%s.%s: %s", k, i, j.value)
+
+    def sort_policies_by_priority(self):
+        for ptype, assertion in self["p"].items():
+            for index, token in enumerate(assertion.tokens):
+                if token == f"{ptype}_priority":
+                    assertion.priority_index = index
+                    break
+
+            if assertion.priority_index == -1:
+                continue
+
+            assertion.policy = sorted(
+                assertion.policy, key=lambda x: x[assertion.priority_index]
+            )
+
+            for i, policy in enumerate(assertion.policy):
+                assertion.policy_map[",".join(policy)] = i
+
+        return None
diff --git a/casbin/model/policy.py b/casbin/model/policy.py
@@ -1,5 +1,7 @@
 import logging
 
+DEFAULT_SEP = ","
+
 
 class Policy:
     def __init__(self):
@@ -83,12 +85,37 @@ def has_policy(self, sec, ptype, rule):
 
     def add_policy(self, sec, ptype, rule):
         """adds a policy rule to the model."""
-
+        assertion = self[sec][ptype]
         if not self.has_policy(sec, ptype, rule):
-            self[sec][ptype].policy.append(rule)
-            return True
+            assertion.policy.append(rule)
+        else:
+            return False
+
+        if sec == "p" and assertion.priority_index >= 0:
+            try:
+                idx_insert = int(rule[assertion.priority_index])
 
-        return False
+                i = len(assertion.policy) - 1
+                for i in range(i, 0, -1):
+
+                    try:
+                        idx = int(assertion.policy[i - 1][assertion.priority_index])
+                    except Exception as e:
+                        print(e)
+
+                    if idx > idx_insert:
+                        assertion.policy[i] = assertion.policy[i - 1]
+                    else:
+                        break
+
+                assertion.policy[i] = rule
+                assertion.policy_map[DEFAULT_SEP.join(rule)] = i
+
+            except Exception as e:
+                print(e)
+
+        assertion.policy_map[DEFAULT_SEP.join(rule)] = len(assertion.policy) - 1
+        return True
 
     def add_policies(self, sec, ptype, rules):
         """adds policy rules to the model."""
diff --git a/examples/priority_model_explicit.conf b/examples/priority_model_explicit.conf
@@ -11,4 +11,4 @@ g = _, _
 e = priority(p.eft) || deny
 
 [matchers]
-m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
+m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
diff --git a/tests/test_enforcer.py b/tests/test_enforcer.py
@@ -141,6 +141,32 @@ def test_enforce_priority(self):
         self.assertTrue(e.enforce("bob", "data2", "read"))
         self.assertFalse(e.enforce("bob", "data2", "write"))
 
+    def test_enforce_priority_explicit(self):
+        e = self.get_enforcer(
+            get_examples("priority_model_explicit.conf"),
+            get_examples("priority_policy_explicit.csv"),
+        )
+
+        self.assertTrue(e.enforce("alice", "data1", "write"))
+        self.assertTrue(e.enforce("alice", "data1", "read"))
+        self.assertFalse(e.enforce("bob", "data2", "read"))
+        self.assertTrue(e.enforce("bob", "data2", "write"))
+        self.assertFalse(e.enforce("data1_deny_group", "data1", "read"))
+        self.assertFalse(e.enforce("data1_deny_group", "data1", "write"))
+        self.assertTrue(e.enforce("data2_allow_group", "data2", "read"))
+        self.assertTrue(e.enforce("data2_allow_group", "data2", "write"))
+
+        e.add_policy("1", "bob", "data2", "write", "deny")
+
+        self.assertTrue(e.enforce("alice", "data1", "write"))
+        self.assertTrue(e.enforce("alice", "data1", "read"))
+        self.assertFalse(e.enforce("bob", "data2", "read"))
+        self.assertFalse(e.enforce("bob", "data2", "write"))
+        self.assertFalse(e.enforce("data1_deny_group", "data1", "read"))
+        self.assertFalse(e.enforce("data1_deny_group", "data1", "write"))
+        self.assertTrue(e.enforce("data2_allow_group", "data2", "read"))
+        self.assertTrue(e.enforce("data2_allow_group", "data2", "write"))
+
     def test_enforce_priority_indeterminate(self):
         e = self.get_enforcer(
             get_examples("priority_model.conf"),
