[feature] Add policy filters to file adapter

Ryan Clarke · Ryan Clarke · commit 1c3536108183 · 2018-03-14T19:09:21.000-04:00
Extend the default file adapter to support the new policy
filtering feature.
diff --git a/README.md b/README.md
@@ -212,6 +212,7 @@ import (
 adapter := mongodbadapter.NewFilteredAdapter("127.0.0.1:27017")
 enforcer := casbin.NewEnforcer("examples/rbac_with_domains_model.conf", adapter)
 
+// Values of type `map[string]interface{}` may be used here instead of BSON.
 filter := &bson.M{
     "$or": []bson.M{
         bson.M{"ptype": "p", "v1": "mydomain"},
diff --git a/enforcer.go b/enforcer.go
@@ -31,14 +31,14 @@ import (
 
 // Enforcer is the main interface for authorization enforcement and policy management.
 type Enforcer struct {
-	modelPath          string
-	model              model.Model
-	fm                 model.FunctionMap
-	eft                effect.Effector
+	modelPath string
+	model     model.Model
+	fm        model.FunctionMap
+	eft       effect.Effector
 
-	adapter            persist.Adapter
-	watcher            persist.Watcher
-	rm                 rbac.RoleManager
+	adapter persist.Adapter
+	watcher persist.Watcher
+	rm      rbac.RoleManager
 
 	enabled            bool
 	autoSave           bool
@@ -192,7 +192,7 @@ func (e *Enforcer) SetAdapter(adapter persist.Adapter) {
 // SetWatcher sets the current watcher.
 func (e *Enforcer) SetWatcher(watcher persist.Watcher) {
 	e.watcher = watcher
-	watcher.SetUpdateCallback(func (string) {e.LoadPolicy()})
+	watcher.SetUpdateCallback(func(string) { e.LoadPolicy() })
 }
 
 // SetRoleManager sets the current role manager.
diff --git a/enforcer_safe.go b/enforcer_safe.go
@@ -97,4 +97,4 @@ func (e *Enforcer) RemoveFilteredPolicySafe(fieldIndex int, fieldValues ...strin
 	result = e.RemoveFilteredNamedPolicy("p", fieldIndex, fieldValues...)
 	err = nil
 	return
-}
+}
diff --git a/enforcer_synced.go b/enforcer_synced.go
@@ -24,7 +24,7 @@ import (
 
 type SyncedEnforcer struct {
 	*Enforcer
-	m sync.RWMutex
+	m        sync.RWMutex
 	autoLoad bool
 }
 
@@ -50,10 +50,10 @@ func (e *SyncedEnforcer) StartAutoLoadPolicy(d time.Duration) {
 			e.LoadPolicy()
 			// Uncomment this line to see when the policy is loaded.
 			// log.Print("Load policy for time: ", n)
-			n ++
+			n++
 			time.Sleep(d)
 		}
-	} ()
+	}()
 }
 
 func (e *SyncedEnforcer) StopAutoLoadPolicy() {
@@ -63,7 +63,7 @@ func (e *SyncedEnforcer) StopAutoLoadPolicy() {
 // SetWatcher sets the current watcher.
 func (e *SyncedEnforcer) SetWatcher(watcher persist.Watcher) {
 	e.watcher = watcher
-	watcher.SetUpdateCallback(func (string) {e.LoadPolicy()})
+	watcher.SetUpdateCallback(func(string) { e.LoadPolicy() })
 }
 
 // ClearPolicy clears all policy.
diff --git a/enforcer_test.go b/enforcer_test.go
@@ -400,4 +400,19 @@ func TestInitEmpty(t *testing.T) {
 	e.LoadPolicy()
 
 	testEnforce(t, e, "alice", "/alice_data/resource1", "GET", true)
-}
+}
+
+func TestLoadFilteredPolicy(t *testing.T) {
+	e := NewEnforcer("examples/rbac_with_domains_model.conf", "examples/rbac_with_domains_policy.csv")
+
+	testHasPolicy(t, e, []string{"admin", "domain1", "data1", "read"}, true)
+	testHasPolicy(t, e, []string{"admin", "domain2", "data2", "read"}, true)
+
+	e.LoadFilteredPolicy(&fileadapter.Filter{
+		P: []string{"", "domain1"},
+		G: []string{"", "", "domain1"},
+	})
+
+	testHasPolicy(t, e, []string{"admin", "domain1", "data1", "read"}, true)
+	testHasPolicy(t, e, []string{"admin", "domain2", "data2", "read"}, false)
+}
diff --git a/model_b_test.go b/model_b_test.go
@@ -59,11 +59,11 @@ func BenchmarkRBACModelSmall(b *testing.B) {
 	e.EnableAutoBuildRoleLinks(false)
 	// 100 roles, 10 resources.
 	for i := 0; i < 100; i++ {
-		e.AddPolicy(fmt.Sprintf("group%d", i), fmt.Sprintf("data%d", i / 10), "read")
+		e.AddPolicy(fmt.Sprintf("group%d", i), fmt.Sprintf("data%d", i/10), "read")
 	}
 	// 1000 users.
 	for i := 0; i < 1000; i++ {
-		e.AddGroupingPolicy(fmt.Sprintf("user%d", i), fmt.Sprintf("group%d", i / 10))
+		e.AddGroupingPolicy(fmt.Sprintf("user%d", i), fmt.Sprintf("group%d", i/10))
 	}
 	e.BuildRoleLinks()
 
@@ -79,11 +79,11 @@ func BenchmarkRBACModelMedium(b *testing.B) {
 	e.EnableAutoBuildRoleLinks(false)
 	// 1000 roles, 100 resources.
 	for i := 0; i < 1000; i++ {
-		e.AddPolicy(fmt.Sprintf("group%d", i), fmt.Sprintf("data%d", i / 10), "read")
+		e.AddPolicy(fmt.Sprintf("group%d", i), fmt.Sprintf("data%d", i/10), "read")
 	}
 	// 10000 users.
 	for i := 0; i < 10000; i++ {
-		e.AddGroupingPolicy(fmt.Sprintf("user%d", i), fmt.Sprintf("group%d", i / 10))
+		e.AddGroupingPolicy(fmt.Sprintf("user%d", i), fmt.Sprintf("group%d", i/10))
 	}
 	e.BuildRoleLinks()
 
@@ -99,11 +99,11 @@ func BenchmarkRBACModelLarge(b *testing.B) {
 	e.EnableAutoBuildRoleLinks(false)
 	// 10000 roles, 1000 resources.
 	for i := 0; i < 10000; i++ {
-		e.AddPolicy(fmt.Sprintf("group%d", i), fmt.Sprintf("data%d", i / 10), "read")
+		e.AddPolicy(fmt.Sprintf("group%d", i), fmt.Sprintf("data%d", i/10), "read")
 	}
 	// 100000 users.
 	for i := 0; i < 100000; i++ {
-		e.AddGroupingPolicy(fmt.Sprintf("user%d", i), fmt.Sprintf("group%d", i / 10))
+		e.AddGroupingPolicy(fmt.Sprintf("user%d", i), fmt.Sprintf("group%d", i/10))
 	}
 	e.BuildRoleLinks()
 
diff --git a/model_test.go b/model_test.go
@@ -286,8 +286,12 @@ func NewRoleManager() rbac.RoleManager {
 	return &testCustomRoleManager{}
 }
 func (rm *testCustomRoleManager) Clear() error { return nil }
-func (rm *testCustomRoleManager) AddLink(name1 string, name2 string, domain ...string) error { return nil }
-func (rm *testCustomRoleManager) DeleteLink(name1 string, name2 string, domain ...string) error { return nil }
+func (rm *testCustomRoleManager) AddLink(name1 string, name2 string, domain ...string) error {
+	return nil
+}
+func (rm *testCustomRoleManager) DeleteLink(name1 string, name2 string, domain ...string) error {
+	return nil
+}
 func (rm *testCustomRoleManager) HasLink(name1 string, name2 string, domain ...string) (bool, error) {
 	if name1 == "alice" && name2 == "alice" {
 		return true, nil
diff --git a/persist/file-adapter/adapter.go b/persist/file-adapter/adapter.go
@@ -31,6 +31,15 @@ import (
 // It can load policy from file or save policy to file.
 type Adapter struct {
 	filePath string
+	filtered bool
+}
+
+// Filter defines filter options for Adater.
+type Filter struct {
+	// P is the filter option for "p" policies.
+	P []string
+	// G is the filter option for "g" policies.
+	G []string
 }
 
 // NewAdapter is the constructor for Adapter.
@@ -40,18 +49,46 @@ func NewAdapter(filePath string) *Adapter {
 	return &a
 }
 
+// NewFilteredAdapter is the constructor for FilteredAdapter.
+func NewFilteredAdapter(filePath string) *Adapter {
+	return NewAdapter(filePath)
+}
+
 // LoadPolicy loads all policy rules from the storage.
 func (a *Adapter) LoadPolicy(model model.Model) error {
+	return a.LoadFilteredPolicy(model, nil)
+}
+
+// LoadFilteredPolicy loads matching policy rules from the storage.
+func (a *Adapter) LoadFilteredPolicy(model model.Model, filter interface{}) error {
+	var filterValue *Filter
+	if filter == nil {
+		a.filtered = false
+	} else {
+		var ok bool
+		filterValue, ok = filter.(*Filter)
+		if !ok {
+			return errors.New("invalid filter type, expected *Filter")
+		}
+		a.filtered = true
+	}
 	if a.filePath == "" {
 		return errors.New("invalid file path, file path cannot be empty")
 	}
 
-	err := a.loadPolicyFile(model, persist.LoadPolicyLine)
-	return err
+	return a.loadPolicyFile(model, filterValue, persist.LoadPolicyLine)
+}
+
+// IsFiltered returns true if the loaded policy is filtered.
+func (a *Adapter) IsFiltered() bool {
+	return a.filtered
 }
 
 // SavePolicy saves all policy rules to the storage.
 func (a *Adapter) SavePolicy(model model.Model) error {
+	if a.filtered == true {
+		return errors.New("cannot save a filtered policy")
+	}
 	if a.filePath == "" {
 		return errors.New("invalid file path, file path cannot be empty")
 	}
@@ -78,7 +115,7 @@ func (a *Adapter) SavePolicy(model model.Model) error {
 	return err
 }
 
-func (a *Adapter) loadPolicyFile(model model.Model, handler func(string, model.Model)) error {
+func (a *Adapter) loadPolicyFile(model model.Model, filter *Filter, handler func(string, model.Model)) error {
 	f, err := os.Open(a.filePath)
 	if err != nil {
 		return err
@@ -89,6 +126,14 @@ func (a *Adapter) loadPolicyFile(model model.Model, handler func(string, model.M
 	for {
 		line, err := buf.ReadString('\n')
 		line = strings.TrimSpace(line)
+
+		// If a filter is defined, apply it to the policy
+		if filter != nil {
+			if filterLine(line, filter) {
+				continue
+			}
+		}
+
 		handler(line, model)
 		if err != nil {
 			if err == io.EOF {
@@ -99,6 +144,28 @@ func (a *Adapter) loadPolicyFile(model model.Model, handler func(string, model.M
 	}
 }
 
+func filterLine(line string, filter *Filter) bool {
+	p := strings.Split(line, ",")
+	if len(p) == 0 {
+		return true
+	}
+	var filterSet []string
+	if strings.TrimSpace(p[0]) == "p" {
+		filterSet = filter.P
+	}
+	if strings.TrimSpace(p[0]) == "g" {
+		filterSet = filter.G
+	}
+	var skip bool
+	for i, v := range filterSet {
+		if len(p) < i+2 || len(v) > 0 && strings.TrimSpace(v) != strings.TrimSpace(p[i+1]) {
+			skip = true
+			break
+		}
+	}
+	return skip
+}
+
 func (a *Adapter) savePolicyFile(text string) error {
 	f, err := os.Create(a.filePath)
 	if err != nil {
