diff --git a/modules/auth/casbin.go b/modules/auth/casbin.go index d5db662..e8df331 100644 --- a/modules/auth/casbin.go +++ b/modules/auth/casbin.go @@ -14,25 +14,23 @@ import ( "github.com/oj-lab/oj-lab-platform/modules/log" ) -const ABACModelString = ` +const RBACModelString = ` [request_definition] -r = sub, obj, act +r = sub, info, dom, obj, act [policy_definition] -p = sub_rule, obj, act, eft +p = sub, info_rule, dom, obj, act, eft + +[role_definition] +g = _, _ [policy_effect] -e = some(where (p.eft == allow)) && !some(where (p.eft == deny)) +e = some(where (p.eft == allow)) [matchers] -m = eval(p.sub_rule) && keyMatch(r.obj, p.obj) && regexMatch(r.act, p.act) +m = g(r.sub, p.sub) && eval(p.info_rule) && r.dom == p.dom && r.obj == p.obj && regexMatch(r.act, p.act) ` -type CasbinSubject struct { - Age int - Role string -} - var casbinEnforcer *casbin.SyncedCachedEnforcer func GetDefaultCasbinEnforcer() *casbin.SyncedCachedEnforcer { @@ -56,7 +54,7 @@ func GetDefaultCasbinEnforcer() *casbin.SyncedCachedEnforcer { if err != nil && adapter == nil { panic(err) } - model, err := model.NewModelFromString(ABACModelString) + model, err := model.NewModelFromString(RBACModelString) if err != nil { panic(err) } @@ -83,11 +81,11 @@ func GetDefaultCasbinEnforcer() *casbin.SyncedCachedEnforcer { func LoadDefaultCasbinPolicies() error { enforcer := GetDefaultCasbinEnforcer() - _, err := enforcer.AddPolicy(`r.sub.Age > 18 && r.sub.Age < 60`, `testData`, http.MethodGet, "allow") + _, err := enforcer.AddPolicy(`admin`, `true`, `system`, `testData`, http.MethodGet, "allow") if err != nil { return err } - _, err = enforcer.AddPolicy(`r.sub.Role == 'admin'`, `adminRequired`, + _, err = enforcer.AddPolicy(`admin`, `true`, `system`, `adminRequired`, strings.Join([]string{ http.MethodGet, http.MethodPost, @@ -97,6 +95,10 @@ func LoadDefaultCasbinPolicies() error { if err != nil { return err } + _, err = enforcer.AddGroupingPolicy(`test_user`, `admin`) + if err != nil { + return err + } err = enforcer.SavePolicy() if err != nil { return err diff --git a/tests/core/casbin_test.go b/tests/core/casbin_test.go index c61a366..2e524cb 100644 --- a/tests/core/casbin_test.go +++ b/tests/core/casbin_test.go @@ -15,14 +15,13 @@ func TestCasbin(t *testing.T) { t.Error(err) } - policies, err := enforcer.GetFilteredPolicy(1, `testData`) + policies, err := enforcer.GetFilteredPolicy(3, `testData`) if err != nil { t.Error(err) } t.Logf("Policies: %v", policies) - subject := auth.CasbinSubject{Age: 30} - allow, err := enforcer.Enforce(subject, `testData`, http.MethodGet) + allow, err := enforcer.Enforce("admin", "_", `system`, `testData`, http.MethodGet) if err != nil { t.Error(err) } @@ -30,8 +29,7 @@ func TestCasbin(t *testing.T) { t.Error("Expected to allow") } - subject = auth.CasbinSubject{Age: 30, Role: "admin"} - allow, err = enforcer.Enforce(subject, `adminRequired`, http.MethodDelete) + allow, err = enforcer.Enforce("test_user", "_", `system`, `adminRequired`, http.MethodDelete) if err != nil { t.Error(err) }