Rules work on Casbin Editor but not on Casbin.Net

Question

Rules work on Casbin Editor but not on Casbin.Net

mari3728 opened this issue a year ago · comments

Hello,

I'm using latest stable Casbin.Net (version 1.13.0 as of now) and I'd like to add a rule "everyone on the domain belongs to the group". My scenario works on Casbin Editor but not on the code.

Here's my model, policies, request and code sample:

Model
Node: it's an RBAC model because I already use it for RBAC

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act, eft

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && regexMatch(r.obj, p.obj) && regexMatch(r.act, p.act)

Policies:

p, MyResourceName, domain-123, my-resourceId, access, allow

g, *, Team::TeamEveryoneKey, domain-123
g, Team::TeamEveryoneKey, MyResourceName, domain-123

Request
alice, domain-123, my-resourceId, access

Works on Casbin Editor:

Sample code in C#:

using System;
using NetCasbin;
using NetCasbin.Model;
using System.Linq;
using System.Text.RegularExpressions;

public class Program
{
	public static void Main()
	{
		var modelText = @"[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act, eft

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && regexMatch(r.obj, p.obj) && regexMatch(r.act, p.act)";
		var casbinRules = @"
p, MyResourceName, domain-123, my-resourceId, access, allow

g, *, Team::TeamEveryoneKey, domain-123
g, Team::TeamEveryoneKey, MyResourceName, domain-123
";
		var model = Model.CreateDefaultFromText(modelText);
		var enforcer = new Enforcer(model);
		enforcer.EnableAutoBuildRoleLinks(false);
		var rules = Regex.Split(casbinRules, "\r\n|\r|\n");
		var policies = rules.Where(l => l.StartsWith("p")).Select(x => x.Split(',').Skip(1).Select(y => y.Trim()).ToList()).ToList();
		Console.WriteLine(string.Join(",", policies.SelectMany(p => p)));
		enforcer.AddPolicies(policies);
		var groups = rules.Where(l => l.StartsWith("g")).Select(x => x.Split(',').Skip(1).Select(y => y.Trim()).ToList()).ToList();
		Console.WriteLine(string.Join(",", groups.SelectMany(p => p)));
		Console.WriteLine(string.Join(",", groups));
		enforcer.BuildRoleLinks();
		
		var result = enforcer.EnforceEx("alice", "domain-123", "my-resourceId", "access");
		
		Console.WriteLine(result.Result);
		Console.WriteLine(result.Explains.FirstOrDefault());
	}
}

Thanks in advance for the help!

casbin-bot · Answer 1 · Fri May 12 2023 04:02:06 GMT+0800 (China Standard Time)

@sagilio @sociometry @AsakusaRinne

Yang Luo · Answer 2 · Mon May 29 2023 09:59:07 GMT+0800 (China Standard Time)

@marifaleiros hi, we cannot reproduce your issue at: https://editor.casbin.org/#2CNB8XD9F , you can see the result is false here. Please also share your editor page

Yang Luo · Answer 3 · Tue May 30 2023 16:30:53 GMT+0800 (China Standard Time)

@marifaleiros

Tan · Answer 4 · Tue May 30 2023 17:22:35 GMT+0800 (China Standard Time)

@marifaleiros
Hi, as mentioned in the query above, the issue you raised is not reproduced in the online editor, but I have modified it to some extent, the link (https://editor.casbin.org/#7VRMT6ZLH), and I think this is the problem you are experiencing.
I guess there are three problems with your code, the first one about regular expression syntax, the second one about needing to register regular matching methods with the enforcer, and the third one maybe that you forgot to add the grouping policy.
The code that I think is correct is as follows, I hope it helps you.

// using System;
using NetCasbin;
using NetCasbin.Model;
// using System.Linq;
using System.Text.RegularExpressions;
// using System.Reflection;
using NetCasbin.Extensions;
using NetCasbin.Util;
// using NetCasbin.Util.Function;

public class Program
{
    public static void Main()
    {
        var modelText = @"[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act, eft

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && regexMatch(r.obj, p.obj) && regexMatch(r.act, p.act)";
        var casbinRules = @"
p, MyResourceName, domain-123, my-resourceId, access, allow

g, .*, Team::TeamEveryoneKey, domain-123
g, Team::TeamEveryoneKey, MyResourceName, domain-123
";
        // 1 (not '*' but '.*')
        var model = Model.CreateDefaultFromText(modelText);
        var enforcer = new Enforcer(model);
        enforcer.EnableAutoBuildRoleLinks(false);
        // 2 (https://casbin.org/zh/docs/rbac-with-pattern)
        enforcer.AddNamedMatchingFunc("g", BuiltInFunctions.RegexMatch);
        var rules = Regex.Split(casbinRules, "\r\n|\r|\n");
        var policies = rules.Where(l => l.StartsWith("p")).Select(x => x.Split(',').Skip(1).Select(y => y.Trim()).ToList()).ToList();
        Console.WriteLine(string.Join(",", policies.SelectMany(p => p)));
        enforcer.AddPolicies(policies);
        var groups = rules.Where(l => l.StartsWith("g")).Select(x => x.Split(',').Skip(1).Select(y => y.Trim()).ToList()).ToList();
        Console.WriteLine(string.Join(",", groups.SelectMany(p => p)));
        Console.WriteLine(string.Join(",", groups));
        // 3 (Maybe you missed it)
        enforcer.AddGroupingPolicies(groups);
        enforcer.BuildRoleLinks();

        var result = enforcer.EnforceEx("alice", "domain-123", "my-resourceId", "access");

        Console.WriteLine(result.Result);
        Console.WriteLine(result.Explains.FirstOrDefault());
    }
}

Yang Luo · Answer 5 · Fri Jul 07 2023 16:29:05 GMT+0800 (China Standard Time)

@marifaleiros any update?

Yang Luo · Answer 6 · Tue Jul 11 2023 01:57:18 GMT+0800 (China Standard Time)

Closed as stale