public void TestRBACModelInMemory()
{
Model.Model m = CoreEnforcer.NewModel();
m.AddDef("r", "r", "sub, obj, act");
m.AddDef("p", "p", "sub, obj, act");
m.AddDef("g", "g", "_, _");
m.AddDef("e", "e", "some(where (p.eft == allow))");
m.AddDef("m", "m", "g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act");
Enforcer e = new Enforcer(m);
e.AddPermissionForUser("alice", "data1", "read");
e.AddPermissionForUser("bob", "data2", "write");
e.AddPermissionForUser("data2_admin", "data2", "read");
e.AddPermissionForUser("data2_admin", "data2", "write");
e.AddRoleForUser("alice", "data2_admin");
TestEnforce(e, "alice", "data1", "read", true);
TestEnforce(e, "alice", "data1", "write", false);
TestEnforce(e, "alice", "data2", "read", true);
TestEnforce(e, "alice", "data2", "write", true);
TestEnforce(e, "bob", "data1", "read", false);
TestEnforce(e, "bob", "data1", "write", false);
TestEnforce(e, "bob", "data2", "read", false);
TestEnforce(e, "bob", "data2", "write", true);
}
public void TestKeyMatchModelInMemory()
{
Model.Model m = CoreEnforcer.NewModel();
m.AddDef("r", "r", "sub, obj, act");
m.AddDef("p", "p", "sub, obj, act");
m.AddDef("e", "e", "some(where (p.eft == allow))");
m.AddDef("m", "m", "r.sub == p.sub && keyMatch(r.obj, p.obj) && regexMatch(r.act, p.act)");
IAdapter a = new DefaultFileAdapter("examples/keymatch_policy.csv");
Enforcer e = new Enforcer(m, a);
TestEnforce(e, "alice", "/alice_data/resource1", "GET", true);
TestEnforce(e, "alice", "/alice_data/resource1", "POST", true);
TestEnforce(e, "alice", "/alice_data/resource2", "GET", true);
TestEnforce(e, "alice", "/alice_data/resource2", "POST", false);
TestEnforce(e, "alice", "/bob_data/resource1", "GET", false);
TestEnforce(e, "alice", "/bob_data/resource1", "POST", false);
TestEnforce(e, "alice", "/bob_data/resource2", "GET", false);
TestEnforce(e, "alice", "/bob_data/resource2", "POST", false);
TestEnforce(e, "bob", "/alice_data/resource1", "GET", false);
TestEnforce(e, "bob", "/alice_data/resource1", "POST", false);
TestEnforce(e, "bob", "/alice_data/resource2", "GET", true);
TestEnforce(e, "bob", "/alice_data/resource2", "POST", false);
TestEnforce(e, "bob", "/bob_data/resource1", "GET", false);
TestEnforce(e, "bob", "/bob_data/resource1", "POST", true);
TestEnforce(e, "bob", "/bob_data/resource2", "GET", false);
TestEnforce(e, "bob", "/bob_data/resource2", "POST", true);
TestEnforce(e, "cathy", "/cathy_data", "GET", true);
TestEnforce(e, "cathy", "/cathy_data", "POST", true);
TestEnforce(e, "cathy", "/cathy_data", "DELETE", false);
e = new Enforcer(m);
a.LoadPolicy(e.GetModel());
TestEnforce(e, "alice", "/alice_data/resource1", "GET", true);
TestEnforce(e, "alice", "/alice_data/resource1", "POST", true);
TestEnforce(e, "alice", "/alice_data/resource2", "GET", true);
TestEnforce(e, "alice", "/alice_data/resource2", "POST", false);
TestEnforce(e, "alice", "/bob_data/resource1", "GET", false);
TestEnforce(e, "alice", "/bob_data/resource1", "POST", false);
TestEnforce(e, "alice", "/bob_data/resource2", "GET", false);
TestEnforce(e, "alice", "/bob_data/resource2", "POST", false);
TestEnforce(e, "bob", "/alice_data/resource1", "GET", false);
TestEnforce(e, "bob", "/alice_data/resource1", "POST", false);
TestEnforce(e, "bob", "/alice_data/resource2", "GET", true);
TestEnforce(e, "bob", "/alice_data/resource2", "POST", false);
TestEnforce(e, "bob", "/bob_data/resource1", "GET", false);
TestEnforce(e, "bob", "/bob_data/resource1", "POST", true);
TestEnforce(e, "bob", "/bob_data/resource2", "GET", false);
TestEnforce(e, "bob", "/bob_data/resource2", "POST", true);
TestEnforce(e, "cathy", "/cathy_data", "GET", true);
TestEnforce(e, "cathy", "/cathy_data", "POST", true);
TestEnforce(e, "cathy", "/cathy_data", "DELETE", false);
}
public void TestKeyMatchModelInMemoryDeny()
{
Model.Model m = CoreEnforcer.NewModel();
m.AddDef("r", "r", "sub, obj, act");
m.AddDef("p", "p", "sub, obj, act");
m.AddDef("e", "e", "!some(where (p.eft == deny))");
m.AddDef("m", "m", "r.sub == p.sub && keyMatch(r.obj, p.obj) && regexMatch(r.act, p.act)");
IAdapter a = new DefaultFileAdapter("examples/keymatch_policy.csv");
Enforcer e = new Enforcer(m, a);
TestEnforce(e, "alice", "/alice_data/resource2", "POST", true);
}
public void testRBACModelInMemoryIndeterminate()
{
Model.Model m = CoreEnforcer.NewModel();
m.AddDef("r", "r", "sub, obj, act");
m.AddDef("p", "p", "sub, obj, act");
m.AddDef("g", "g", "_, _");
m.AddDef("e", "e", "some(where (p.eft == allow))");
m.AddDef("m", "m", "g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act");
Enforcer e = new Enforcer(m);
e.AddPermissionForUser("alice", "data1", "invalid");
testEnforce(e, "alice", "data1", "read", false);
}
public void TestInitEmpty()
{
Enforcer e = new Enforcer();
Model.Model m = CoreEnforcer.NewModel();
m.AddDef("r", "r", "sub, obj, act");
m.AddDef("p", "p", "sub, obj, act");
m.AddDef("e", "e", "some(where (p.eft == allow))");
m.AddDef("m", "m", "r.sub == p.sub && keyMatch(r.obj, p.obj) && regexMatch(r.act, p.act)");
IAdapter a = new DefaultFileAdapter("examples/keymatch_policy.csv");
e.SetModel(m);
e.SetAdapter(a);
e.LoadPolicy();
TestEnforce(e, "alice", "/alice_data/resource1", "GET", true);
}
public void TestInitEmptyByInputStream()
{
Enforcer e = new Enforcer();
Model.Model m = CoreEnforcer.NewModel();
m.AddDef("r", "r", "sub, obj, act");
m.AddDef("p", "p", "sub, obj, act");
m.AddDef("e", "e", "some(where (p.eft == allow))");
m.AddDef("m", "m", "r.sub == p.sub && keyMatch(r.obj, p.obj) && regexMatch(r.act, p.act)");
using (var fs = new FileStream("examples/keymatch_policy.csv", FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
{
IAdapter a = new DefaultFileAdapter(fs);
e.SetModel(m);
e.SetAdapter(a);
e.LoadPolicy();
TestEnforce(e, "alice", "/alice_data/resource1", "GET", true);
}
}
