Giters

casbin / jcasbin

An authorization library that supports access control models like ACL, RBAC, ABAC in Java

Home Page:https://casbin.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Allow the explaination in `enforceEx` and `enforceExWithMatcher` methods in the CoreEnforcer to be accessed externally

aryalrabin opened this issue Β· comments

commented

The current implementation of the CoreEnforcer prints the explanation on the log but does not allow it to be accessed externally.

The methods should allow the explanation to be passed externally. The below two methods should be

public boolean enforceEx(List<String> explain, Object... rvals) {
       return enforce("", explain, rvals);
}
    
 public boolean enforceExWithMatcher(String matcher, List<String> explain,  Object... rvals) {
        return enforce(matcher, explain, rvals);
}
commented

Could you give a example manifest its necessity?

What I understand you mean is to replace Hit Policy: or add something around this. But I don't think it's necessary.πŸ‘€

image

commented

You don't have to make any changes to Hit Policy:. The actual explanation is never returned back in jcasbin. Python or Go versions return multiple values with explanations back.
https://github.com/casbin/pycasbin/blob/6f6b1279cddef182ddce98a8c806130d67666f91/casbin/core_enforcer.py#L459
https://github.com/casbin/casbin/blob/63b2757cc60362d974921cb9065809b617d8b527/enforcer.go#L707

However, jcasbin only logs the Hit policy: and does not expose the explanation. If you look at current implementation below

 public boolean enforceEx(Object... rvals) {
        List<String> explain = new ArrayList<>();
        return enforce("", explain, rvals);
    }

 public boolean enforceExWithMatcher(String matcher, Object... rvals) {
        List<String> explain = new ArrayList<>();
        return enforce(matcher, explain, rvals);
    }

Both enforceEx, enforceExWithMatcher print the Hit policy: in the log and never expose an explanation.

The above enforceEx, enforceExWithMatcher methods simply should let an explanation be passed as

public boolean enforceEx(List<String> explain, Object... rvals) {
       return enforce("", explain, rvals);
}
    
 public boolean enforceExWithMatcher(String matcher, List<String> explain,  Object... rvals) {
        return enforce(matcher, explain, rvals);
}

The business necessity is that the policy is dynamically populated from AD and contains metadata at the end. These metadata are required for compliance and some critical business rules.

the example policy will look like
p, bob, data2, write, sensitivity, pii, mask

commented

Looks right, thanks for your advice. I will implement it latter.

commented

πŸŽ‰ This issue has been resolved in version 1.31.1 πŸŽ‰

The release is available on:

Your semantic-release bot πŸ“¦πŸš€