fix: enforcer for domain rbac and expression evaluation.

Author: divy9881

casbin/casbin.vcxproj

@@ -196,7 +196,7 @@
     <ClCompile Include="persist\default_watcher_ex.cpp" />
     <ClCompile Include="persist\file_adapter\batch_file_adapter.cpp" />
     <ClCompile Include="persist\file_adapter\file_adapter.cpp" />
-    <ClCompile Include="persist\file_adapter\filtered_adapter.cpp" />
+    <ClCompile Include="persist\file_adapter\filtered_file_adapter.cpp" />
     <ClCompile Include="rbac\default_role_manager.cpp" />
     <ClCompile Include="rbac_api.cpp" />
     <ClCompile Include="rbac_api_with_domains.cpp" />
@@ -267,14 +267,14 @@
     <ClInclude Include="model\scope_config.h" />
     <ClInclude Include="persist.h" />
     <ClInclude Include="persist\adapter.h" />
-    <ClInclude Include="persist\adapter_filtered.h" />
     <ClInclude Include="persist\batch_adapter.h" />
     <ClInclude Include="persist\default_watcher.h" />
     <ClInclude Include="persist\default_watcher_ex.h" />
     <ClInclude Include="persist\file-adapter\batch_file_adapter.h" />
     <ClInclude Include="persist\file-adapter\file_adapter.h" />
-    <ClInclude Include="persist\file-adapter\filtered_adapter.h" />
     <ClInclude Include="persist\file-adapter\pch.h" />
+    <ClInclude Include="persist\file_adapter\filtered_file_adapter.h" />
+    <ClInclude Include="persist\filtered_adapter.h" />
     <ClInclude Include="persist\pch.h" />
     <ClInclude Include="persist\watcher.h" />
     <ClInclude Include="persist\watcher_ex.h" />

casbin/casbin.vcxproj.filters

@@ -222,9 +222,6 @@
     <ClCompile Include="persist\file_adapter\file_adapter.cpp">
       <Filter>Source Files\persist\file_adapter</Filter>
     </ClCompile>
-    <ClCompile Include="persist\file_adapter\filtered_adapter.cpp">
-      <Filter>Source Files\persist\file_adapter</Filter>
-    </ClCompile>
     <ClCompile Include="persist\adapter.cpp">
       <Filter>Source Files\persist</Filter>
     </ClCompile>
@@ -255,6 +252,9 @@
     <ClCompile Include="ip_parser\parser\parseIPv4.cpp">
       <Filter>Source Files\ip_parser\parser</Filter>
     </ClCompile>
+    <ClCompile Include="persist\file_adapter\filtered_file_adapter.cpp">
+      <Filter>Source Files\persist\file_adapter</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="config\config_interface.h">
@@ -272,9 +272,6 @@
     <ClInclude Include="persist\adapter.h">
       <Filter>Header Files\persist</Filter>
     </ClInclude>
-    <ClInclude Include="persist\adapter_filtered.h">
-      <Filter>Header Files\persist</Filter>
-    </ClInclude>
     <ClInclude Include="persist\watcher.h">
       <Filter>Header Files\persist</Filter>
     </ClInclude>
@@ -416,9 +413,6 @@
     <ClInclude Include="duktape\pch.h">
       <Filter>Header Files\duktape</Filter>
     </ClInclude>
-    <ClInclude Include="persist\file-adapter\filtered_adapter.h">
-      <Filter>Header Files\persist\file_adapter</Filter>
-    </ClInclude>
     <ClInclude Include="effect\default_effector.h">
       <Filter>Header Files\effect</Filter>
     </ClInclude>
@@ -467,5 +461,11 @@
     <ClInclude Include="model\scope_config.h">
       <Filter>Header Files\model</Filter>
     </ClInclude>
+    <ClInclude Include="persist\filtered_adapter.h">
+      <Filter>Header Files\persist</Filter>
+    </ClInclude>
+    <ClInclude Include="persist\file_adapter\filtered_file_adapter.h">
+      <Filter>Header Files\persist\file_adapter</Filter>
+    </ClInclude>
   </ItemGroup>
 </Project>

casbin/config/config.cpp

@@ -156,9 +156,10 @@ void Config :: Set(string key, string value) {
     if (keys.size() >= 2) {
         section = keys[0];
         option = keys[1];
-    } else {
-        option = keys[0];
     }
+    else
+        option = keys[0];
+
     AddConfig(section, option, value);
     mtx_lock.unlock();
 }

casbin/enforcer.cpp

@@ -18,7 +18,7 @@
 
 #include "pch.h"
 
-// #include <iostream>
+#include <algorithm>
 
 #include "./enforcer.h"
 #include "./persist/watcher_ex.h"
@@ -39,6 +39,7 @@ bool Enforcer :: enforce(string matcher, Scope scope) {
     // }()
 
     this->func_map.scope = scope;
+    this->func_map.LoadFunctionMap();
 
     if(!this->enabled)
         return true;
@@ -52,16 +53,19 @@ bool Enforcer :: enforce(string matcher, Scope scope) {
     else
         exp_string = matcher;
 
+
     unordered_map <string, RoleManager*> rm_map;
     bool ok = this->model->m.find("g") != this->model->m.end();
+
     if(ok) {
         for(unordered_map <string, Assertion*> :: iterator it = this->model->m["g"].assertion_map.begin() ; it != this->model->m["g"].assertion_map.end() ; it++){
             RoleManager* rm = it->second->rm;
+            int char_count = int(count(it->second->value.begin(), it->second->value.end(), '_'));
             int index = int(exp_string.find((it->first)+"("));
             if(index != string::npos)
-                exp_string.insert(index+(it->first+"(").length()-1, (it->first)+"_rm");
-            PushPointer(this->func_map.scope, (void *)rm, (it->first)+"_rm");
-            this->func_map.AddFunction(it->first, GFunction);
+                exp_string.insert(index+(it->first+"(").length(), "rm, ");
+            PushPointer(this->func_map.scope, (void *)rm, "rm");
+            this->func_map.AddFunction(it->first, GFunction, char_count + 1);
         }
     }
 
@@ -94,7 +98,7 @@ bool Enforcer :: enforce(string matcher, Scope scope) {
                 PushStringPropToObject(this->func_map.scope, "p", p_vals[j], token);
             }
 
-            this->func_map.Eval(exp_string);
+            this->func_map.Evaluate(exp_string);
 
             //TODO
             // log.LogPrint("Result: ", result)
@@ -134,15 +138,17 @@ bool Enforcer :: enforce(string matcher, Scope scope) {
                 break;
         }
     } else {
-        this->func_map.Eval(exp_string);
+        bool isValid = this->func_map.Evaluate(exp_string);
+        if(!isValid)
+            return false;
         bool result = this->func_map.GetBooleanResult();
+
         //TODO
         // log.LogPrint("Result: ", result)
-
         if(result)
-            policy_effects[0] = Effect::Allow;
+            policy_effects.push_back(Effect::Allow);
         else
-            policy_effects[0] = Effect::Indeterminate;
+            policy_effects.push_back(Effect::Indeterminate);
     }
 
     //TODO
@@ -200,7 +206,7 @@ Enforcer* Enforcer :: NewEnforcer(Model* m, Adapter* adapter) {
 
     e->Initialize();
 
-    if (e->adapter != NULL) {
+    if (e->adapter->file_path != "") {
         e->LoadPolicy();
     }
     return e;
@@ -346,7 +352,6 @@ void Enforcer :: ClearPolicy() {
 void Enforcer :: LoadPolicy() {
     this->model->ClearPolicy();
     this->adapter->LoadPolicy(this->model);
-
     this->model->PrintPolicy();
 
     if(this->auto_build_role_links) {

casbin/enforcer.h

@@ -20,7 +20,7 @@
 #include "./rbac/role_manager.h"
 #include "./model/function.h"
 #include "./enforcer_interface.h"
-#include "./persist/adapter_filtered.h"
+#include "./persist/filtered_adapter.h"
 
 // Enforcer is the main interface for authorization enforcement and policy management.
 class Enforcer : public IEnforcer{
@@ -33,7 +33,6 @@ class Enforcer : public IEnforcer{
 
         Adapter* adapter;
         Watcher* watcher;
-        RoleManager* rm;
 
         bool enabled;
         bool auto_save;
@@ -45,6 +44,8 @@ class Enforcer : public IEnforcer{
 
     public:
 
+        RoleManager* rm;
+
         /**
          * Enforcer is the default constructor.
          */
@@ -190,7 +191,7 @@ class Enforcer : public IEnforcer{
         bool RemoveNamedGroupingPolicy(string ptype, vector<string> params);
         bool RemoveNamedGroupingPolicies(string p_type, vector<vector<string>> rules);
         bool RemoveFilteredNamedGroupingPolicy(string ptype, int field_index, vector<string> field_values);
-        void AddFunction(string name, Function);
+        void AddFunction(string name, Function function, Index nargs);
 
         /*RBAC API member functions.*/
         vector<string> GetRolesForUser(string name);

casbin/enforcer_interface.h

@@ -119,7 +119,7 @@ class IEnforcer {
         virtual bool RemoveNamedGroupingPolicy(string ptype, vector<string> params) = 0;
         virtual bool RemoveNamedGroupingPolicies(string p_type, vector<vector<string>> rules) = 0;
         virtual bool RemoveFilteredNamedGroupingPolicy(string ptype, int fieldIndex, vector<string> fieldValues) = 0;
-        virtual void AddFunction(string name, Function) = 0;
+        virtual void AddFunction(string name, Function function, Index nargs) = 0;
 
         /* Internal API member functions */
         virtual bool addPolicy(string sec, string ptype, vector<string> rule) = 0;

casbin/internal_api.cpp

@@ -22,6 +22,7 @@
 #include "./persist/batch_adapter.h"
 #include "./util/util.h"
 #include "./persist/watcher_ex.h"
+#include "./exception/unsupported_operation_exception.h"
 
 // addPolicy adds a rule to the current policy.
 bool Enforcer :: addPolicy(string sec, string p_type, vector<string> rule) {
@@ -34,8 +35,13 @@ bool Enforcer :: addPolicy(string sec, string p_type, vector<string> rule) {
         this->BuildIncrementalRoleLinks(policy_add, p_type, rules);
     }
 
-    if (this->adapter != NULL && this->auto_save)
-        this->adapter->AddPolicy(sec, p_type, rule);
+    if (this->adapter != NULL && this->auto_save) {
+        try {
+            this->adapter->AddPolicy(sec, p_type, rule);
+        }
+        catch(UnsupportedOperationException e) {
+        }
+    }
 
     if (this->watcher != NULL && this->auto_notify_watcher) {
         if (IsInstanceOf<WatcherEx>(this->watcher)) {
@@ -79,9 +85,14 @@ bool Enforcer :: removePolicy(string sec, string p_type, vector<string> rule) {
         vector<vector<string>> rules{rule};
         this->BuildIncrementalRoleLinks(policy_add, p_type, rules);
     }
-
-    if(this->adapter != NULL && this->auto_save)
-        this->adapter->RemovePolicy(sec, p_type, rule);
+    
+    if (this->adapter != NULL && this->auto_save) {
+        try {
+            this->adapter->RemovePolicy(sec, p_type, rule);
+        }
+        catch (UnsupportedOperationException e) {
+        }
+    }
 
     if(this->watcher !=NULL && this->auto_notify_watcher){
         if (IsInstanceOf<WatcherEx>(this->watcher)) {
@@ -127,8 +138,13 @@ bool Enforcer :: removeFilteredPolicy(string sec, string p_type, int field_index
     if (sec == "g")
         this->BuildIncrementalRoleLinks(policy_remove, p_type, effects);
 
-    if(this->adapter != NULL && this->auto_save)
-        this->adapter->RemoveFilteredPolicy(sec, p_type, field_index, field_values);
+    if (this->adapter != NULL && this->auto_save) {
+        try {
+            this->adapter->RemoveFilteredPolicy(sec, p_type, field_index, field_values); \
+        }
+        catch (UnsupportedOperationException e) {
+        }
+    }
 
     if (this->watcher !=NULL && this->auto_notify_watcher) {
         if (IsInstanceOf<WatcherEx>(this->watcher)) {

casbin/management_api.cpp

@@ -304,6 +304,6 @@ bool Enforcer :: RemoveFilteredNamedGroupingPolicy(string p_type, int field_inde
 }
 
 // AddFunction adds a customized function.
-void Enforcer :: AddFunction(string name, Function function) {
-    this->func_map.AddFunction(name, function);
+void Enforcer :: AddFunction(string name, Function function, Index nargs) {
+    this->func_map.AddFunction(name, function, nargs);
 }

casbin/persist.h

@@ -18,7 +18,7 @@
 #define CASBIN_CPP_PERSIST
 
 #include "./persist/adapter.h"
-#include "./persist/adapter_filtered.h"
+#include "./persist/filtered_adapter.h"
 #include "./persist/batch_adapter.h"
 #include "./persist/default_watcher.h"
 #include "./persist/default_watcher_ex.h"
@@ -27,6 +27,6 @@
 
 #include "./persist/file_adapter/batch_file_adapter.h"
 #include "./persist/file_adapter/file_adapter.h"
-#include "./persist/file_adapter/filtered_adapter.h"
+#include "./persist/file_adapter/filtered_file_adapter.h"
 
 #endif

examples/basic_with_root_model.conf

@@ -8,4 +8,4 @@ p = sub, obj, act
 e = some(where (p.eft == allow))
 
 [matchers]
-m = r.sub == p.sub && r.obj == p.obj && r.act == p.act || r.sub == "root"
+m = r.sub == "root" || r.sub == p.sub && r.obj == p.obj && r.act == p.act