From 4eee2afa45de36e611a0f765785a873356340f54 Mon Sep 17 00:00:00 2001 From: Rushikesh Tote <31135699+rushitote@users.noreply.github.com> Date: Mon, 7 Jun 2021 18:22:12 +0530 Subject: [PATCH] feat: Added Management API for the Enforcer (#51) Signed-off-by: Rushikesh Tote --- src/main/Enforcer.lua | 4 +- src/main/InternalEnforcer.lua | 2 + src/main/ManagementEnforcer.lua | 301 ++++++++++++++++++++++++++++++++ src/model/FunctionMap.lua | 25 ++- src/model/Policy.lua | 16 +- src/util/Util.lua | 12 ++ 6 files changed, 350 insertions(+), 10 deletions(-) create mode 100644 src/main/ManagementEnforcer.lua diff --git a/src/main/Enforcer.lua b/src/main/Enforcer.lua index 7c54a68..0b99eed 100644 --- a/src/main/Enforcer.lua +++ b/src/main/Enforcer.lua @@ -12,9 +12,9 @@ --See the License for the specific language governing permissions and --limitations under the License. -require("src.main.InternalEnforcer") +require("src.main.ManagementEnforcer") Enforcer = {} -setmetatable(Enforcer, InternalEnforcer) +setmetatable(Enforcer, ManagementEnforcer) return Enforcer \ No newline at end of file diff --git a/src/main/InternalEnforcer.lua b/src/main/InternalEnforcer.lua index eacd672..47687be 100644 --- a/src/main/InternalEnforcer.lua +++ b/src/main/InternalEnforcer.lua @@ -247,3 +247,5 @@ function InternalEnforcer:removeFilteredPolicy(sec, ptype, fieldIndex, fieldValu return true -- TODO: update watcher, add logger end + +return InternalEnforcer \ No newline at end of file diff --git a/src/main/ManagementEnforcer.lua b/src/main/ManagementEnforcer.lua new file mode 100644 index 0000000..07abec3 --- /dev/null +++ b/src/main/ManagementEnforcer.lua @@ -0,0 +1,301 @@ +--Copyright 2021 The casbin Authors. All Rights Reserved. +-- +--Licensed under the Apache License, Version 2.0 (the "License"); +--you may not use this file except in compliance with the License. +--You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +--Unless required by applicable law or agreed to in writing, software +--distributed under the License is distributed on an "AS IS" BASIS, +--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +--See the License for the specific language governing permissions and +--limitations under the License. + +require("src.main.InternalEnforcer") + +-- ManagementEnforcer = InternalEnforcer + Management API. +ManagementEnforcer = {} +setmetatable(ManagementEnforcer, InternalEnforcer) +ManagementEnforcer.__index = ManagementEnforcer + +-- GetAllSubjects gets the list of subjects that show up in the current policy. +function ManagementEnforcer:GetAllSubjects() + return self.model:getValuesForFieldInPolicyAllTypes("p", 1) +end + +-- GetAllNamedSubjects gets the list of subjects that show up in the current named policy. +function ManagementEnforcer:GetAllNamedSubjects(ptype) + return self.model:getValuesForFieldInPolicy("p", ptype, 1) +end + +-- GetAllObjects gets the list of objects that show up in the current policy. +function ManagementEnforcer:GetAllObjects() + return self.model:getValuesForFieldInPolicyAllTypes("p", 2) +end + +-- GetAllNamedObjects gets the list of objects that show up in the current named policy. +function ManagementEnforcer:GetAllNamedObjects(ptype) + return self.model:getValuesForFieldInPolicy("p", ptype, 2) +end + +-- GetAllActions gets the list of actions that show up in the current policy. +function ManagementEnforcer:GetAllActions() + return self.model:getValuesForFieldInPolicyAllTypes("p", 3) +end + +-- GetAllNamedActions gets the list of actions that show up in the current named policy. +function ManagementEnforcer:GetAllNamedActions(ptype) + return self.model:getValuesForFieldInPolicy("p", ptype, 3) +end + +-- GetAllRoles gets the list of roles that show up in the current policy. +function ManagementEnforcer:GetAllRoles() + return self.model:getValuesForFieldInPolicyAllTypes("g", 2) +end + +-- GetAllNamedRoles gets the list of roles that show up in the current named policy. +function ManagementEnforcer:GetAllNamedRoles(ptype) + return self.model:getValuesForFieldInPolicy("g", ptype, 2) +end + +-- GetPolicy gets all the authorization rules in the policy. +function ManagementEnforcer:GetPolicy() + return self:GetNamedPolicy("p") +end + +-- GetNamedPolicy gets all the authorization rules in the named policy. +function ManagementEnforcer:GetNamedPolicy(ptype) + return self.model:getPolicy("p", ptype) +end + +-- GetFilteredPolicy gets all the authorization rules in the policy, field filters can be specified. +function ManagementEnforcer:GetFilteredPolicy(fieldIndex, ...) + return self:GetFilteredNamedPolicy("p", fieldIndex, ...) +end + +-- GetFilteredNamedPolicy gets all the authorization rules in the named policy, field filters can be specified. +function ManagementEnforcer:GetFilteredNamedPolicy(ptype, fieldIndex, ...) + return self.model:getFilteredPolicy("p", ptype, fieldIndex, ...) +end + +-- GetGroupingPolicy gets all the role inheritance rules in the policy. +function ManagementEnforcer:GetGroupingPolicy() + return self:GetNamedGroupingPolicy("g") +end +-- GetNamedGroupingPolicy gets all the role inheritance rules in the policy. +function ManagementEnforcer:GetNamedGroupingPolicy(ptype) + return self.model:getPolicy("g", ptype) +end + +-- GetFilteredGroupingPolicy gets all the role inheritance rules in the policy, field filters can be specified. +function ManagementEnforcer:GetFilteredGroupingPolicy(fieldIndex, ...) + return self:GetFilteredNamedGroupingPolicy("g", fieldIndex, ...) +end +-- GetFilteredNamedGroupingPolicy gets all the role inheritance rules in the policy, field filters can be specified. +function ManagementEnforcer:GetFilteredNamedGroupingPolicy(ptype, fieldIndex, ...) + return self.model:getFilteredPolicy("g", ptype, fieldIndex, ...) +end + +-- HasPolicy determines whether an authorization rule exists. +function ManagementEnforcer:HasPolicy(...) + return self:HasNamedPolicy("p", ...) +end + +-- HasNamedPolicy determines whether a named authorization rule exists. +function ManagementEnforcer:HasNamedPolicy(ptype, ...) + local args = {...} + if type(args[1]) == "table" then + return self.model:hasPolicy("p", ptype, args[1]) + end + return self.model:hasPolicy("p", ptype, args) +end + +--[[ + * AddPolicy adds an authorization rule to the current policy. + * If the rule already exists, the function returns false and the rule will not be added. + * Otherwise the function returns true by adding the new rule. +]] +function ManagementEnforcer:AddPolicy(...) + return self:AddNamedPolicy("p", ...) +end + +--[[ + * AddNamedPolicy adds an authorization rule to the current named policy. + * If the rule already exists, the function returns false and the rule will not be added. + * Otherwise the function returns true by adding the new rule. +]] +function ManagementEnforcer:AddNamedPolicy(ptype, ...) + local args = {...} + if type(args[1]) == "table" then + return self:addPolicy("p", ptype, args[1]) + end + return self:addPolicy("p", ptype, args) +end + +--[[ + * AddPolicies adds authorization rules to the current policy. + * If the rule already exists, the function returns false for the corresponding rule and the rule will not be added. + * Otherwise the function returns true for the corresponding rule by adding the new rule. +]] +function ManagementEnforcer:AddPolicies(rules) + return self:AddNamedPolicies("p", rules) +end + +--[[ + * AddNamedPolicies adds authorization rules to the current named policy. + * If the rule already exists, the function returns false for the corresponding rule and the rule will not be added. + * Otherwise the function returns true for the corresponding by adding the new rule. +]] +function ManagementEnforcer:AddNamedPolicies(ptype, rules) + return self:addPolicies("p", ptype, rules) +end + +-- RemovePolicy removes an authorization rule from the current policy. +function ManagementEnforcer:RemovePolicy(...) + return self:RemoveNamedPolicy("p", ...) +end + +-- RemoveNamedPolicy removes an authorization rule from the current named policy. +function ManagementEnforcer:RemoveNamedPolicy(ptype, ...) + local args = {...} + if type(args[1]) == "table" then + return self:removePolicy("p", ptype, args[1]) + end + return self:removePolicy("p", ptype, args) +end + +-- RemovePolicies removes authorization rules from the current policy. +function ManagementEnforcer:RemovePolicies(rules) + return self:RemoveNamedPolicies("p", rules) +end + +-- RemoveNamedPolicy removes an authorization rule from the current named policy. +function ManagementEnforcer:RemoveNamedPolicies(ptype, rules) + return self:removePolicies("p", ptype, rules) +end + +-- RemoveFilteredPolicy removes an authorization rule from the current policy, field filters can be specified. +function ManagementEnforcer:RemoveFilteredPolicy(fieldIndex, ...) + return self:RemoveFilteredNamedPolicy("p", fieldIndex, ...) +end + +-- RemoveFilteredNamedPolicy removes an authorization rule from the current named policy, field filters can be specified. +function ManagementEnforcer:RemoveFilteredNamedPolicy(ptype, fieldIndex, ...) + return self:removeFilteredPolicy("p", ptype, fieldIndex, {...}) +end + +-- UpdatePolicy updates an authorization rule from the current policy. +function ManagementEnforcer:UpdatePolicy(oldPolicy, newPolicy) + return self:UpdateNamedPolicy("p", oldPolicy, newPolicy) +end + +-- UpdateNamedPolicy updates an authorization rule from the current named policy. +function ManagementEnforcer:UpdateNamedPolicy(ptype, oldPolicy, newPolicy) + return self:updatePolicy("p", ptype, oldPolicy, newPolicy) +end + +-- HasGroupingPolicy determines whether a role inheritance rule exists. +function ManagementEnforcer:HasGroupingPolicy(...) + return self:HasNamedGroupingPolicy("g", ...) +end + +-- HasNamedGroupingPolicy determines whether a named role inheritance rule exists. +function ManagementEnforcer:HasNamedGroupingPolicy(ptype, ...) + local args = {...} + if type(args[1]) == "table" then + return self.model:hasPolicy("g", ptype, args[1]) + end + return self.model:hasPolicy("g", ptype, args) +end + +--[[ + * AddGroupingPolicy adds a role inheritance rule to the current policy. + * If the rule already exists, the function returns false and the rule will not be added. + * Otherwise the function returns true by adding the new rule. +]] +function ManagementEnforcer:AddGroupingPolicy(...) + return self:AddNamedGroupingPolicy("g", ...) +end + +--[[ + * AddNamedGroupingPolicy adds a named role inheritance rule to the current policy. + * If the rule already exists, the function returns false and the rule will not be added. + * Otherwise the function returns true by adding the new rule. +]] +function ManagementEnforcer:AddNamedGroupingPolicy(ptype, ...) + local args = {...} + if type(args[1]) == "table" then + return self:addPolicy("g", ptype, args[1]) + end + return self:addPolicy("g", ptype, args) +end + +--[[ + * AddGroupingPolicies adds role inheritance rules to the current policy. + * If the rule already exists, the function returns false for the corresponding policy rule and the rule will not be added. + * Otherwise the function returns true for the corresponding policy rule by adding the new rule. +]] +function ManagementEnforcer:AddGroupingPolicies(rules) + return self:AddNamedGroupingPolicies("g", rules) +end + +--[[ + * AddNamedGroupingPolicies adds named role inheritance rules to the current policy. + * If the rule already exists, the function returns false for the corresponding policy rule and the rule will not be added. + * Otherwise the function returns true for the corresponding policy rule by adding the new rule. +]] +function ManagementEnforcer:AddNamedGroupingPolicies(ptype, rules) + return self:addPolicies("g", ptype, rules) +end + +-- RemoveGroupingPolicy removes a role inheritance rule from the current policy. +function ManagementEnforcer:RemoveGroupingPolicy(...) + return self:RemoveNamedGroupingPolicy("g", ...) +end + +-- RemoveNamedGroupingPolicy removes a role inheritance rule from the current named policy. +function ManagementEnforcer:RemoveNamedGroupingPolicy(ptype, ...) + local args = {...} + if type(args[1]) == "table" then + return self:removePolicy("g", ptype, args[1]) + end + return self:removePolicy("g", ptype, args) +end + +-- RemoveGroupingPolicies removes role inheritance rules from the current policy. +function ManagementEnforcer:RemoveGroupingPolicies(rules) + return self:RemoveNamedGroupingPolicies("g", rules) +end + +-- RemoveNamedGroupingPolicies removes role inheritance rules from the current named policy. +function ManagementEnforcer:RemoveNamedGroupingPolicies(ptype, rules) + return self:removePolicies("g", ptype, rules) +end + +-- RemoveFilteredGroupingPolicy removes a role inheritance rule from the current policy, field filters can be specified. +function ManagementEnforcer:RemoveFilteredGroupingPolicy(fieldIndex, ...) + return self:RemoveFilteredNamedGroupingPolicy("g", fieldIndex, ...) +end + +-- RemoveFilteredNamedGroupingPolicy removes a role inheritance rule from the current named policy, field filters can be specified. +function ManagementEnforcer:RemoveFilteredNamedGroupingPolicy(ptype, fieldIndex, ...) + return self:removeFilteredPolicy("g", ptype, fieldIndex, {...}) +end + +-- UpdateGroupingPolicy updates a role inheritance rule from the current policy. +function ManagementEnforcer:UpdateGroupingPolicy(oldPolicy, newPolicy) + return self:UpdateNamedGroupingPolicy("g", oldPolicy, newPolicy) +end + +-- UpdateNamedGroupingPolicy updates a role inheritance rule from the current named policy. +function ManagementEnforcer:UpdateNamedGroupingPolicy(ptype, oldPolicy, newPolicy) + return self:updatePolicy("g", ptype, oldPolicy, newPolicy) +end + +-- AddFunction adds a customized function to the FunctionMap. +function ManagementEnforcer:AddFunction(name, func) + FunctionMap:addFunction(name, func) +end + +return ManagementEnforcer \ No newline at end of file diff --git a/src/model/FunctionMap.lua b/src/model/FunctionMap.lua index c541ce4..282785e 100644 --- a/src/model/FunctionMap.lua +++ b/src/model/FunctionMap.lua @@ -14,16 +14,27 @@ require("src.util.BuiltInFunctions") -FunctionMap = {} +FunctionMap = { + ["keyMatch"] = BuiltInFunctions.keyMatchFunc, + ["keyGet"] = BuiltInFunctions.keyGetFunc, + ["keyMatch2"] = BuiltInFunctions.keyMatch2Func, + ["keyMatch3"] = BuiltInFunctions.keyMatch3Func, + ["regexMatch"] = BuiltInFunctions.regexMatchFunc, + ["globMatch"] = BuiltInFunctions.globMatch +} -- FunctionMap provides a set of built in functions function FunctionMap:new() local o = {} - o["keyMatch"] = BuiltInFunctions.keyMatchFunc - o["keyGet"] = BuiltInFunctions.keyGetFunc - o["keyMatch2"] = BuiltInFunctions.keyMatch2Func - o["keyMatch3"] = BuiltInFunctions.keyMatch3Func - o["regexMatch"] = BuiltInFunctions.regexMatchFunc - o["globMatch"] = BuiltInFunctions.globMatch + for k, v in pairs(FunctionMap) do + o[k] = v + end return o +end + +-- Add new built-in function to FunctionMap +function FunctionMap:addFunction(key, func) + if not self[key] then + self[key] = func + end end \ No newline at end of file diff --git a/src/model/Policy.lua b/src/model/Policy.lua index a2bc5b4..953b4d2 100644 --- a/src/model/Policy.lua +++ b/src/model/Policy.lua @@ -115,7 +115,8 @@ end * @return the policy rules of section sec and policy type ptype. ]] function Policy:getPolicy(sec, ptype) - return self.model[sec][ptype].policy + local policy = Util.tableDeepCopy(self.model[sec][ptype].policy) + return policy end --[[ @@ -354,6 +355,19 @@ function Policy:getValuesForFieldInPolicy(sec, ptype, fieldIndex) return values end +function Policy:getValuesForFieldInPolicyAllTypes(sec, fieldIndex) + local values = {} + + for ptype, _ in pairs(self.model[sec]) do + local tvalues = self:getValuesForFieldInPolicy(sec, ptype, fieldIndex) + for _, v in pairs(tvalues) do + table.insert(values, v) + end + end + + return values +end + function Policy:buildIncrementalRoleLinks(rm, op, sec, ptype, rules) if sec == "g" then self.model[sec][ptype]:buildIncrementalRoleLinks(rm, op, rules) diff --git a/src/util/Util.lua b/src/util/Util.lua index aba2e29..57ebdb9 100644 --- a/src/util/Util.lua +++ b/src/util/Util.lua @@ -190,5 +190,17 @@ function Util.replaceInOfMatcher(str) return s end +-- returns deep (recursive) copy of a table (values only) +function Util.tableDeepCopy(org) + local copy = {} + for k, v in pairs(org) do + if type(v) == "table" then + copy[k] = Util.tableDeepCopy(v) + else + copy[k] = v + end + end + return copy +end return Util