From 77a115f45e2d74dcb6869ef0b22f494d1fcb70bd Mon Sep 17 00:00:00 2001
From: Rushikesh Tote <rushi.tote@gmail.com>
Date: Fri, 21 May 2021 16:00:12 +0530
Subject: [PATCH] feat: loading policy with priority explicitly

Signed-off-by: Rushikesh Tote <rushi.tote@gmail.com>
---
 spec/main/enforcer_spec.lua | 29 +++++++++++++++++++++++++++++
 src/main/CoreEnforcer.lua   |  5 ++++-
 src/model/Model.lua         | 22 ++++++++++++++++++++++
 3 files changed, 55 insertions(+), 1 deletion(-)

diff --git a/spec/main/enforcer_spec.lua b/spec/main/enforcer_spec.lua
index ccfab2b..07793ac 100644
--- a/spec/main/enforcer_spec.lua
+++ b/spec/main/enforcer_spec.lua
@@ -93,4 +93,33 @@ describe("Enforcer tests", function ()
         assert.is.True(e:enforce("bob", "data2", "read"))
         assert.is.True(e:enforce("bob", "data2", "write"))
     end)
+
+    it("explicit priority test", function ()
+        local model  = path .. "/examples/priority_model_explicit.conf"
+        local policy  = path .. "/examples/priority_policy_explicit.csv"
+
+        local e = Enforcer:new(model, policy)
+        assert.is.True(e:enforce("alice", "data1", "write"))
+        assert.is.True(e:enforce("alice", "data1", "read"))
+        assert.is.False(e:enforce("bob", "data2", "read"))
+        assert.is.True(e:enforce("bob", "data2", "write"))
+        assert.is.False(e:enforce("data1_deny_group", "data1", "read"))
+        assert.is.False(e:enforce("data1_deny_group", "data1", "write"))
+        assert.is.True(e:enforce("data2_allow_group", "data2", "read"))
+        assert.is.True(e:enforce("data2_allow_group", "data2", "write"))
+
+        local rule = {"1", "bob", "data2", "write", "deny"}
+        e.model:addPolicy("p", "p", rule)
+        e.model:sortPoliciesByPriority()
+        e.model:printPolicy()
+
+        assert.is.True(e:enforce("alice", "data1", "write"))
+        assert.is.True(e:enforce("alice", "data1", "read"))
+        assert.is.False(e:enforce("bob", "data2", "read"))
+        assert.is.False(e:enforce("bob", "data2", "write"))
+        assert.is.False(e:enforce("data1_deny_group", "data1", "read"))
+        assert.is.False(e:enforce("data1_deny_group", "data1", "write"))
+        assert.is.True(e:enforce("data2_allow_group", "data2", "read"))
+        assert.is.True(e:enforce("data2_allow_group", "data2", "write"))
+    end)
 end)
diff --git a/src/main/CoreEnforcer.lua b/src/main/CoreEnforcer.lua
index d3a19dd..1a2f3a7 100644
--- a/src/main/CoreEnforcer.lua
+++ b/src/main/CoreEnforcer.lua
@@ -208,8 +208,11 @@ end
 ]]
 function CoreEnforcer:loadPolicy()
     self.model:clearPolicy()
-    self.adapter:loadPolicy(self.model);
+    self.adapter:loadPolicy(self.model)
+
+    self.model:sortPoliciesByPriority()
     self.model:printPolicy()
+
     if self.autoBuildRoleLinks then
         self:buildRoleLinks()
     end
diff --git a/src/model/Model.lua b/src/model/Model.lua
index 3c74723..b054092 100644
--- a/src/model/Model.lua
+++ b/src/model/Model.lua
@@ -182,4 +182,26 @@ function Model:printModel()
     end
 end
 
+-- sortPoliciesByPriority sorts policies by their priorities if 'priority' token exists
+function Model:sortPoliciesByPriority()
+     if not self.model["p"] then return end
+
+     for ptype, ast in pairs(self.model["p"]) do
+          local priorityIndex = 0
+          for inx, token in pairs(ast.tokens) do
+               if token == ptype .. "_priority" then
+                    priorityIndex = inx
+                    break
+               end
+          end
+          if priorityIndex == 0 then
+               return
+          end
+
+          table.sort(ast.policy, function (a, b)
+               return a[priorityIndex] < b[priorityIndex]
+          end)
+     end
+end
+
 return Model