public void TestModifyPolicyAPI()
{
Enforcer e = new Enforcer("examples/rbac_model.conf", "examples/rbac_policy.csv");
TestGetPolicy(e, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write"),
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write")));
e.RemovePolicy("alice", "data1", "read");
e.RemovePolicy("bob", "data2", "write");
e.RemovePolicy("alice", "data1", "read");
e.AddPolicy("eve", "data3", "read");
e.AddPolicy("eve", "data3", "read");
List <String> namedPolicy = AsList("eve", "data3", "read");
e.RemoveNamedPolicy("p", namedPolicy);
e.AddNamedPolicy("p", namedPolicy);
TestGetPolicy(e, AsList(
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write"),
AsList("eve", "data3", "read")));
e.RemoveFilteredPolicy(1, "data2");
TestGetPolicy(e, AsList(AsList("eve", "data3", "read")));
}
public void TestMultipleGroupTypeModelInMemory()
{
var m = Model.Model.CreateDefault();
m.AddDef("r", "r", "sub, obj, act");
m.AddDef("p", "p", "sub, obj, act");
m.AddDef("g", "g", "_, _");
m.AddDef("g", "g2", "_, _");
m.AddDef("e", "e", "some(where (p.eft == allow))");
m.AddDef("m", "m", "g(r.sub, p.sub) && g2(r.obj, p.obj) && r.act == p.act");
var e = new Enforcer(m);
e.AddPolicy("alice", "data1", "read");
e.AddPolicy("bob", "data2", "write");
e.AddPolicy("data_group_admin", "data_group", "write");
e.AddNamedGroupingPolicy("g", "alice", "data_group_admin");
e.AddNamedGroupingPolicy("g2", "data1", "data_group");
e.AddNamedGroupingPolicy("g2", "data2", "data_group");
Assert.True(e.Enforce("alice", "data1", "read"));
Assert.True(e.Enforce("alice", "data1", "write"));
Assert.False(e.Enforce("alice", "data2", "read"));
Assert.True(e.Enforce("alice", "data2", "write"));
}
public void GlobalSetup()
{
for (int i = 0; i < NowPolicyCount; i++)
{
_enforcer.AddPolicy($"group{i}", $"obj{i / 10}", "read");
}
Console.WriteLine($"// Already set {NowPolicyCount} policies.");
NowTestUserName = $"name{NowPolicyCount / 2 + 1}";
NowTestDataName = $"data{NowPolicyCount / 2 + 1}";
Console.WriteLine($"// Already set user name to {NowTestUserName}.");
Console.WriteLine($"// Already set data name to {NowTestDataName}.");
}
public void Test_Adapter_AutoSave()
{
var efAdapter = new CasbinDbAdapter(_context);
Enforcer e = new Enforcer("examples/rbac_model.conf", efAdapter);
TestGetPolicy(e, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write"),
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write")
));
e.AddPolicy("alice", "data1", "write");
TestGetPolicy(e, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write"),
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write"),
AsList("alice", "data1", "write")
));
e.RemovePolicy("alice", "data1", "write");
TestGetPolicy(e, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write"),
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write")
));
e.RemoveFilteredPolicy(0, "data2_admin");
TestGetPolicy(e, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write")
));
}
public void TestPriorityExplicitModel()
{
var e = new Enforcer(_testModelFixture.GetNewPriorityExplicitTestModel());
e.BuildRoleLinks();
TestEnforce(e, "alice", "data1", "write", true);
TestEnforce(e, "alice", "data1", "read", true);
TestEnforce(e, "bob", "data2", "read", false);
TestEnforce(e, "bob", "data2", "write", true);
TestEnforce(e, "data1_deny_group", "data1", "read", false);
TestEnforce(e, "data1_deny_group", "data1", "write", false);
TestEnforce(e, "data2_allow_group", "data2", "read", true);
TestEnforce(e, "data2_allow_group", "data2", "write", true);
// add a higher priority policy
e.AddPolicy("1", "bob", "data2", "write", "deny");
TestEnforce(e, "alice", "data1", "write", true);
TestEnforce(e, "alice", "data1", "read", true);
TestEnforce(e, "bob", "data2", "read", false);
TestEnforce(e, "bob", "data2", "write", false);
TestEnforce(e, "data1_deny_group", "data1", "read", false);
TestEnforce(e, "data1_deny_group", "data1", "write", false);
TestEnforce(e, "data2_allow_group", "data2", "read", true);
TestEnforce(e, "data2_allow_group", "data2", "write", true);
}
public void TestRbacModelWithDomainsAtRuntime()
{
var e = new Enforcer(TestModelFixture.GetNewTestModel(_testModelFixture._rbacWithDomainsModelText));
e.BuildRoleLinks();
e.AddPolicy("admin", "domain1", "data1", "read");
e.AddPolicy("admin", "domain1", "data1", "write");
e.AddPolicy("admin", "domain2", "data2", "read");
e.AddPolicy("admin", "domain2", "data2", "write");
e.AddGroupingPolicy("alice", "admin", "domain1");
e.AddGroupingPolicy("bob", "admin", "domain2");
TestDomainEnforce(e, "alice", "domain1", "data1", "read", true);
TestDomainEnforce(e, "alice", "domain1", "data1", "write", true);
TestDomainEnforce(e, "alice", "domain1", "data2", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "read", true);
TestDomainEnforce(e, "bob", "domain2", "data2", "write", true);
// Remove all policy rules related to domain1 and data1.
e.RemoveFilteredPolicy(1, "domain1", "data1");
TestDomainEnforce(e, "alice", "domain1", "data1", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data1", "write", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "read", true);
TestDomainEnforce(e, "bob", "domain2", "data2", "write", true);
// Remove the specified policy rule.
e.RemovePolicy("admin", "domain2", "data2", "read");
TestDomainEnforce(e, "alice", "domain1", "data1", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data1", "write", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "write", true);
}
public void Test_RBACModelWithDomainsAtRuntime()
{
Enforcer e = new Enforcer("examples/rbac_with_domains_model.conf");
e.AddPolicy("admin", "domain1", "data1", "read");
e.AddPolicy("admin", "domain1", "data1", "write");
e.AddPolicy("admin", "domain2", "data2", "read");
e.AddPolicy("admin", "domain2", "data2", "write");
e.AddGroupingPolicy("alice", "admin", "domain1");
e.AddGroupingPolicy("bob", "admin", "domain2");
TestDomainEnforce(e, "alice", "domain1", "data1", "read", true);
TestDomainEnforce(e, "alice", "domain1", "data1", "write", true);
TestDomainEnforce(e, "alice", "domain1", "data2", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "read", true);
TestDomainEnforce(e, "bob", "domain2", "data2", "write", true);
// Remove all policy rules related to domain1 and data1.
e.RemoveFilteredPolicy(1, "domain1", "data1");
TestDomainEnforce(e, "alice", "domain1", "data1", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data1", "write", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "read", true);
TestDomainEnforce(e, "bob", "domain2", "data2", "write", true);
// Remove the specified policy rule.
e.RemovePolicy("admin", "domain2", "data2", "read");
TestDomainEnforce(e, "alice", "domain1", "data1", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data1", "write", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "write", true);
}
public void TestGetImplicitUsersForPermission()
{
// Arrange
var e = new Enforcer(TestModelFixture.GetNewTestModel(
_testModelFixture._rbacModelText,
_testModelFixture._rbacWithHierarchyPolicyText));
e.BuildRoleLinks();
Assert.Equal(new[] { "alice" }, e.GetImplicitUsersForPermission("data1", "read"));
Assert.Equal(new[] { "alice" }, e.GetImplicitUsersForPermission("data1", "write"));
Assert.Equal(new[] { "alice" }, e.GetImplicitUsersForPermission("data2", "read"));
Assert.Equal(new[] { "alice", "bob" }, e.GetImplicitUsersForPermission("data2", "write"));
// Act
e.GetModel().ClearPolicy();
_ = e.AddPolicy("admin", "data1", "read");
_ = e.AddPolicy("bob", "data1", "read");
_ = e.AddGroupingPolicy("alice", "admin");
// Assert
Assert.Equal(new[] { "bob", "alice" }, e.GetImplicitUsersForPermission("data1", "read"));
}
public void TestModifyPolicy()
{
var e = new Enforcer(_testModelFixture.GetNewRbacTestModel());
e.BuildRoleLinks();
TestGetPolicy(e, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write"),
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write")));
e.RemovePolicy("alice", "data1", "read");
e.RemovePolicy("bob", "data2", "write");
e.RemovePolicy("alice", "data1", "read");
e.AddPolicy("eve", "data3", "read");
e.AddPolicy("eve", "data3", "read");
var namedPolicy = AsList("eve", "data3", "read");
e.RemoveNamedPolicy("p", namedPolicy);
e.AddNamedPolicy("p", namedPolicy);
TestGetPolicy(e, AsList(
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write"),
AsList("eve", "data3", "read")));
e.RemoveFilteredPolicy(1, "data2");
TestGetPolicy(e, AsList(AsList("eve", "data3", "read")));
e.RemoveFilteredPolicy(1, Array.Empty <string>());
TestGetPolicy(e, AsList(AsList("eve", "data3", "read")));
e.RemoveFilteredPolicy(1, "");
TestGetPolicy(e, AsList(AsList("eve", "data3", "read")));
}
public void Test_Adapter_AutoSave()
{
var efAdapter = new CasbinDbAdapter(_contextMock.Object);
Enforcer e = new Enforcer("examples/rbac_model.conf", efAdapter);
var _context = _contextMock.Object;
TestGetPolicy(e, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write"),
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write")
));
Assert.True(_context.CasbinRule.Count() == 5);
e.AddPolicy("alice", "data1", "write");
TestGetPolicy(e, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write"),
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write"),
AsList("alice", "data1", "write")
));
Assert.True(_context.CasbinRule.Count() == 6);
e.RemovePolicy("alice", "data1", "write");
TestGetPolicy(e, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write"),
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write")
));
Assert.True(_context.CasbinRule.Count() == 5);
e.RemoveFilteredPolicy(0, "data2_admin");
TestGetPolicy(e, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write")
));
Assert.True(_context.CasbinRule.Count() == 3);
}
public void TestAdapterAutoSave()
{
var adapter = new CasbinDbAdapter <int>(_context);
var enforcer = new Enforcer(_modelProvideFixture.GetNewRbacModel(), adapter);
TestGetPolicy(enforcer, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write"),
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write")
));
Assert.True(_context.CasbinRule.AsNoTracking().Count() == 5);
enforcer.AddPolicy("alice", "data1", "write");
TestGetPolicy(enforcer, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write"),
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write"),
AsList("alice", "data1", "write")
));
Assert.True(_context.CasbinRule.AsNoTracking().Count() == 6);
enforcer.RemovePolicy("alice", "data1", "write");
TestGetPolicy(enforcer, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write"),
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write")
));
Assert.True(_context.CasbinRule.AsNoTracking().Count() == 5);
enforcer.RemoveFilteredPolicy(0, "data2_admin");
TestGetPolicy(enforcer, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write")
));
Assert.True(_context.CasbinRule.AsNoTracking().Count() == 3);
}
public void TestPriorityExplicitDenyOverrideModel()
{
var e = new Enforcer(_testModelFixture.GetNewPriorityExplicitDenyOverrideModel());
e.BuildRoleLinks();
TestEnforce(e, "alice", "data2", "write", true);
TestEnforce(e, "bob", "data2", "read", true);
// adding a new group, simulating behaviour when two different groups are added to the same person.
e.AddPolicy("10", "data2_deny_group_new", "data2", "write", "deny");
e.AddGroupingPolicy("alice", "data2_deny_group_new");
TestEnforce(e, "alice", "data2", "write", false);
TestEnforce(e, "bob", "data2", "read", true);
// expected enforcement result should be true,
// as there is a policy with a lower rank 10, that produces allow result.
e.AddPolicy("5", "alice", "data2", "write", "allow");
TestEnforce(e, "alice", "data2", "write", true);
// adding deny policy for alice for the same obj,
// to ensure that if there is at least one deny, final result will be deny.
e.AddPolicy("5", "alice", "data2", "write", "deny");
TestEnforce(e, "alice", "data2", "write", false);
// adding higher fake higher priority policy for alice,
// expected enforcement result should be true (ignore this policy).
e.AddPolicy("2", "alice", "data2", "write", "allow");
TestEnforce(e, "alice", "data2", "write", true);
e.AddPolicy("1", "fake-subject", "fake-object", "very-fake-action", "allow");
TestEnforce(e, "alice", "data2", "write", true);
// adding higher (less of 0) priority policy for alice,
// to override group policies again.
e.AddPolicy("-1", "alice", "data2", "write", "deny");
TestEnforce(e, "alice", "data2", "write", false);
}
public IActionResult addPermissionWithoutDomain(string userName, string domain, string permissionName)
{
bool response = _enforcer.AddPolicy(userName, domain, permissionName);
return(Ok(response));
}
public void TestModifyPolicy()
{
var e = new Enforcer(_testModelFixture.GetNewRbacTestModel());
e.BuildRoleLinks();
TestGetPolicy(e, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write"),
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write")));
e.RemovePolicy("alice", "data1", "read");
e.RemovePolicy("bob", "data2", "write");
e.RemovePolicy("alice", "data1", "read");
e.AddPolicy("eve", "data3", "read");
e.AddPolicy("eve", "data3", "read");
var rules = AsList(
AsList("jack", "data4", "read"),
AsList("jack", "data4", "read"),
AsList("jack", "data4", "read"),
AsList("katy", "data4", "write"),
AsList("leyo", "data4", "read"),
AsList("katy", "data4", "write"),
AsList("katy", "data4", "write"),
AsList("ham", "data4", "write")
);
_ = e.AddPolicies(rules);
_ = e.AddPolicies(rules);
TestGetPolicy(e, AsList(
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write"),
AsList("eve", "data3", "read"),
AsList("jack", "data4", "read"),
AsList("katy", "data4", "write"),
AsList("leyo", "data4", "read"),
AsList("ham", "data4", "write")
)
);
_ = e.RemovePolicies(rules);
_ = e.RemovePolicies(rules);
var namedPolicy = AsList("eve", "data3", "read");
e.RemoveNamedPolicy("p", namedPolicy);
e.AddNamedPolicy("p", namedPolicy);
TestGetPolicy(e, AsList(
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write"),
AsList("eve", "data3", "read")));
e.RemoveFilteredPolicy(1, "data2");
TestGetPolicy(e, AsList(AsList("eve", "data3", "read")));
e.RemoveFilteredPolicy(1);
TestGetPolicy(e, AsList(AsList("eve", "data3", "read")));
e.RemoveFilteredPolicy(1, "");
TestGetPolicy(e, AsList(AsList("eve", "data3", "read")));
}
public void TestAdapterAutoSave()
{
var adapter = new EFCoreAdapter <int>(_context);
var enforcer = new Enforcer(_modelProvideFixture.GetNewRbacModel(), adapter);
#region Load policy test
TestGetPolicy(enforcer, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write"),
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write")
));
Assert.True(_context.CasbinRule.AsNoTracking().Count() is 5);
#endregion
#region Add policy test
enforcer.AddPolicy("alice", "data1", "write");
TestGetPolicy(enforcer, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write"),
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write"),
AsList("alice", "data1", "write")
));
Assert.True(_context.CasbinRule.AsNoTracking().Count() is 6);
#endregion
#region Remove poliy test
enforcer.RemovePolicy("alice", "data1", "write");
TestGetPolicy(enforcer, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write"),
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write")
));
Assert.True(_context.CasbinRule.AsNoTracking().Count() is 5);
enforcer.RemoveFilteredPolicy(0, "data2_admin");
TestGetPolicy(enforcer, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write")
));
Assert.True(_context.CasbinRule.AsNoTracking().Count() is 3);
#endregion
#region Batch APIs test
enforcer.AddPolicies(new []
{
new List <string> {
"alice", "data2", "write"
},
new List <string> {
"bob", "data1", "read"
}
});
TestGetPolicy(enforcer, AsList(
AsList("alice", "data1", "read"),
AsList("bob", "data2", "write"),
AsList("alice", "data2", "write"),
AsList("bob", "data1", "read")
));
Assert.True(_context.CasbinRule.AsNoTracking().Count() is 5);
enforcer.RemovePolicies(new []
{
new List <string> {
"alice", "data1", "read"
},
new List <string> {
"bob", "data2", "write"
}
});
TestGetPolicy(enforcer, AsList(
AsList("alice", "data2", "write"),
AsList("bob", "data1", "read")
));
Assert.True(_context.CasbinRule.AsNoTracking().Count() is 3);
#endregion
#region IFilteredAdapter test
enforcer.LoadFilteredPolicy(new Filter
{
P = new List <string> {
"bob", "data1", "read"
},
});
TestGetPolicy(enforcer, AsList(
AsList("bob", "data1", "read")
));
Assert.True(_context.CasbinRule.AsNoTracking().Count() is 3);
enforcer.LoadFilteredPolicy(new Filter
{
P = new List <string> {
"", "", "write"
},
});
TestGetPolicy(enforcer, AsList(
AsList("alice", "data2", "write")
));
Assert.True(_context.CasbinRule.AsNoTracking().Count() is 3);
#endregion
}
