[Bug] keyGet2 in matchers not working as expected

Question

[Bug] keyGet2 in matchers not working as expected

t5ujiri opened this issue 3 years ago · comments

Takumi Ito commented 3 years ago

Want to prioritize this issue? Try:

Describe the bug
keyGet2 in matchers is not evaluated correctly

To Reproduce
Steps to reproduce the behavior:
I want to implement RBAC with domain.
What I tried is,

policy.csv

p, admin, /workspaces/:workspace_id, (GET)|(PUT)|(DELETE), allow
p, member, /workspaces/:workspace_id, GET, allow

g, alice, admin, workspace1
g, alice, member, workspace2
g, bob, admin, workspace2

model.conf

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, obj, act, eft

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = g(r.sub, p.sub, r.dom) && keyMatch2(r.obj, p.obj) && regexMatch(r.act, p.act) && getKey2(r.obj, p.obj, 'workspace_id') == r.dom

Expected behavior
request alice, workspace1, /workspaces/workspace1, GET expects true, but actually false returns.

Desktop (please complete the following information):

OS: Windows
Browser: Microsoft Edge (editor ceased working in chrome)
Version: Online Editor

Additional context
Registering custom function solved my issue already, but I still don't understand why the above implementation didn't go.

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, obj, act, eft

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = g(r.sub, p.sub, r.dom) && keyMatch2(r.obj, p.obj) && regexMatch(r.act, p.act) && parseWorkspace(r.obj, p.obj, r.dom)

package main

import (
	"fmt"
	"github.com/casbin/casbin/v2"
	"github.com/casbin/casbin/v2/util"
	"log"
)

func main() {
	e, err := casbin.NewEnforcer("./model.conf", "./policy.csv")
	if err != nil {
		log.Fatal(err)
	}
	
	e.AddFunction("parseWorkspace", ParseWorkspace)

	enforce, err := e.Enforce("alice", "workspace1", "/workspaces/workspace1", "GET")
	if err != nil {
		return
	}

	fmt.Println(enforce)
}

func parseWorkspace(requestObj string, policyObj string, dom string) bool {
	return util.KeyGet2(requestObj, policyObj, "workspace_id") == dom
}

func ParseWorkspace(args ...interface{}) (interface{}, error) {
	name1 := args[0].(string)
	name2 := args[1].(string)
	name3 := args[2].(string)

	return parseWorkspace(name1, name2, name3), nil
}

Yang Luo · Answer 1 · Tue Jul 20 2021 19:34:58 GMT+0800 (China Standard Time)

@closetool @tangyang9464

Yang Tang · Answer 2 · Tue Jul 20 2021 21:44:35 GMT+0800 (China Standard Time)

@t5ujiri
Do you test the case in Go code?After my test, Go-casbin can work but the online editor is false.I think it may be online editor's error.

Kiloson · Answer 3 · Tue Jul 20 2021 21:48:07 GMT+0800 (China Standard Time)

@tangyang9464 @t5ujiri Modify getKey2 -> keyGet2

Yang Tang · Answer 4 · Tue Jul 20 2021 21:50:24 GMT+0800 (China Standard Time)

@tangyang9464 @t5ujiri Modify getKey2 -> keyGet2

I forgot to say that.But I test the case use keyGet2 not getKey2

Takumi Ito · Answer 5 · Wed Jul 21 2021 13:12:57 GMT+0800 (China Standard Time)

@closetool @tangyang9464
Here's the capture of online editor with fixed policy showing unexpected result.
The same policy and request worked gracefully in Go code.

Yang Tang · Answer 6 · Wed Jul 21 2021 14:01:16 GMT+0800 (China Standard Time)

maybe online editor depends on the node-casbin instead of Go-casbin

Kiloson · Answer 7 · Wed Jul 21 2021 23:51:46 GMT+0800 (China Standard Time)

cc: @Zxilly

Zxilly · Answer 8 · Thu Jul 22 2021 10:55:54 GMT+0800 (China Standard Time)

@closetool I think node-casbin didn't have keyGet2 right now. I will later add it.

Yang Luo · Answer 9 · Sat Jun 01 2024 23:23:26 GMT+0800 (China Standard Time)

🎉 This issue has been resolved in version 1.0.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀