public void TestModifyGroupingPolicy()
{
var e = new Enforcer(_testModelFixture.GetNewRbacTestModel());
e.BuildRoleLinks();
TestGetRoles(e, "alice", AsList("data2_admin"));
TestGetRoles(e, "bob", AsList());
TestGetRoles(e, "eve", AsList());
TestGetRoles(e, "non_exist", AsList());
e.RemoveGroupingPolicy("alice", "data2_admin");
e.AddGroupingPolicy("bob", "data1_admin");
e.AddGroupingPolicy("eve", "data3_admin");
var groupingRules = AsList(
AsList("ham", "data4_admin"),
AsList("jack", "data5_admin")
);
_ = e.AddGroupingPolicies(groupingRules);
TestGetRoles(e, "ham", AsList("data4_admin"));
TestGetRoles(e, "jack", AsList("data5_admin"));
_ = e.RemoveGroupingPolicies(groupingRules);
TestGetRoles(e, "alice", AsList());
var namedGroupingPolicy = AsList("alice", "data2_admin");
TestGetRoles(e, "alice", AsList());
e.AddNamedGroupingPolicy("g", namedGroupingPolicy);
TestGetRoles(e, "alice", AsList("data2_admin"));
e.RemoveNamedGroupingPolicy("g", namedGroupingPolicy);
TestGetRoles(e, "alice", AsList());
TestGetRoles(e, "bob", AsList("data1_admin"));
TestGetRoles(e, "eve", AsList("data3_admin"));
TestGetRoles(e, "non_exist", AsList());
TestGetUsers(e, "data1_admin", AsList("bob"));
TestGetUsers(e, "data2_admin", AsList());
TestGetUsers(e, "data3_admin", AsList("eve"));
e.RemoveFilteredGroupingPolicy(0, "bob");
TestGetRoles(e, "alice", AsList());
TestGetRoles(e, "bob", AsList());
TestGetRoles(e, "eve", AsList("data3_admin"));
TestGetRoles(e, "non_exist", AsList());
TestGetUsers(e, "data1_admin", AsList());
TestGetUsers(e, "data2_admin", AsList());
TestGetUsers(e, "data3_admin", AsList("eve"));
}
public void TestRbacModelWithCustomData()
{
var e = new Enforcer(_testModelFixture.GetNewRbacTestModel());
e.BuildRoleLinks();
// You can add custom data to a grouping policy, Casbin will ignore it. It is only meaningful to the caller.
// This feature can be used to store information like whether "bob" is an end user (so no subject will inherit "bob")
// For Casbin, it is equivalent to: e.addGroupingPolicy("bob", "data2_admin")
e.AddGroupingPolicy("bob", "data2_admin", "custom_data");
TestEnforce(e, "alice", "data1", "read", true);
TestEnforce(e, "alice", "data1", "write", false);
TestEnforce(e, "alice", "data2", "read", true);
TestEnforce(e, "alice", "data2", "write", true);
TestEnforce(e, "bob", "data1", "read", false);
TestEnforce(e, "bob", "data1", "write", false);
TestEnforce(e, "bob", "data2", "read", true);
TestEnforce(e, "bob", "data2", "write", true);
// You should also take the custom data as a parameter when deleting a grouping policy.
// e.removeGroupingPolicy("bob", "data2_admin") won't work.
// Or you can remove it by using removeFilteredGroupingPolicy().
e.RemoveGroupingPolicy("bob", "data2_admin", "custom_data");
TestEnforce(e, "alice", "data1", "read", true);
TestEnforce(e, "alice", "data1", "write", false);
TestEnforce(e, "alice", "data2", "read", true);
TestEnforce(e, "alice", "data2", "write", true);
TestEnforce(e, "bob", "data1", "read", false);
TestEnforce(e, "bob", "data1", "write", false);
TestEnforce(e, "bob", "data2", "read", false);
TestEnforce(e, "bob", "data2", "write", true);
}
public void TestRbacModelWithDomainsAtRuntime()
{
var e = new Enforcer(TestModelFixture.GetNewTestModel(_testModelFixture._rbacWithDomainsModelText));
e.BuildRoleLinks();
e.AddPolicy("admin", "domain1", "data1", "read");
e.AddPolicy("admin", "domain1", "data1", "write");
e.AddPolicy("admin", "domain2", "data2", "read");
e.AddPolicy("admin", "domain2", "data2", "write");
e.AddGroupingPolicy("alice", "admin", "domain1");
e.AddGroupingPolicy("bob", "admin", "domain2");
TestDomainEnforce(e, "alice", "domain1", "data1", "read", true);
TestDomainEnforce(e, "alice", "domain1", "data1", "write", true);
TestDomainEnforce(e, "alice", "domain1", "data2", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "read", true);
TestDomainEnforce(e, "bob", "domain2", "data2", "write", true);
// Remove all policy rules related to domain1 and data1.
e.RemoveFilteredPolicy(1, "domain1", "data1");
TestDomainEnforce(e, "alice", "domain1", "data1", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data1", "write", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "read", true);
TestDomainEnforce(e, "bob", "domain2", "data2", "write", true);
// Remove the specified policy rule.
e.RemovePolicy("admin", "domain2", "data2", "read");
TestDomainEnforce(e, "alice", "domain1", "data1", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data1", "write", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "write", true);
}
public void Test_RBACModelWithDomainsAtRuntime()
{
Enforcer e = new Enforcer("examples/rbac_with_domains_model.conf");
e.AddPolicy("admin", "domain1", "data1", "read");
e.AddPolicy("admin", "domain1", "data1", "write");
e.AddPolicy("admin", "domain2", "data2", "read");
e.AddPolicy("admin", "domain2", "data2", "write");
e.AddGroupingPolicy("alice", "admin", "domain1");
e.AddGroupingPolicy("bob", "admin", "domain2");
TestDomainEnforce(e, "alice", "domain1", "data1", "read", true);
TestDomainEnforce(e, "alice", "domain1", "data1", "write", true);
TestDomainEnforce(e, "alice", "domain1", "data2", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "read", true);
TestDomainEnforce(e, "bob", "domain2", "data2", "write", true);
// Remove all policy rules related to domain1 and data1.
e.RemoveFilteredPolicy(1, "domain1", "data1");
TestDomainEnforce(e, "alice", "domain1", "data1", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data1", "write", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "read", true);
TestDomainEnforce(e, "bob", "domain2", "data2", "write", true);
// Remove the specified policy rule.
e.RemovePolicy("admin", "domain2", "data2", "read");
TestDomainEnforce(e, "alice", "domain1", "data1", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data1", "write", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "write", true);
}
public void TestModifyGroupingPolicyAPI()
{
Enforcer e = new Enforcer("examples/rbac_model.conf", "examples/rbac_policy.csv");
TestGetRoles(e, "alice", AsList("data2_admin"));
TestGetRoles(e, "bob", AsList());
TestGetRoles(e, "eve", AsList());
TestGetRoles(e, "non_exist", AsList());
e.RemoveGroupingPolicy("alice", "data2_admin");
e.AddGroupingPolicy("bob", "data1_admin");
e.AddGroupingPolicy("eve", "data3_admin");
List <String> namedGroupingPolicy = AsList("alice", "data2_admin");
TestGetRoles(e, "alice", AsList());
e.AddNamedGroupingPolicy("g", namedGroupingPolicy);
TestGetRoles(e, "alice", AsList("data2_admin"));
e.RemoveNamedGroupingPolicy("g", namedGroupingPolicy);
TestGetRoles(e, "alice", AsList());
TestGetRoles(e, "bob", AsList("data1_admin"));
TestGetRoles(e, "eve", AsList("data3_admin"));
TestGetRoles(e, "non_exist", AsList());
TestGetUsers(e, "data1_admin", AsList("bob"));
TestGetUsers(e, "data2_admin", AsList());
TestGetUsers(e, "data3_admin", AsList("eve"));
e.RemoveFilteredGroupingPolicy(0, "bob");
TestGetRoles(e, "alice", AsList());
TestGetRoles(e, "bob", AsList());
TestGetRoles(e, "eve", AsList("data3_admin"));
TestGetRoles(e, "non_exist", AsList());
TestGetUsers(e, "data1_admin", AsList());
TestGetUsers(e, "data2_admin", AsList());
TestGetUsers(e, "data3_admin", AsList("eve"));
}
public void TestPriorityExplicitDenyOverrideModel()
{
var e = new Enforcer(_testModelFixture.GetNewPriorityExplicitDenyOverrideModel());
e.BuildRoleLinks();
TestEnforce(e, "alice", "data2", "write", true);
TestEnforce(e, "bob", "data2", "read", true);
// adding a new group, simulating behaviour when two different groups are added to the same person.
e.AddPolicy("10", "data2_deny_group_new", "data2", "write", "deny");
e.AddGroupingPolicy("alice", "data2_deny_group_new");
TestEnforce(e, "alice", "data2", "write", false);
TestEnforce(e, "bob", "data2", "read", true);
// expected enforcement result should be true,
// as there is a policy with a lower rank 10, that produces allow result.
e.AddPolicy("5", "alice", "data2", "write", "allow");
TestEnforce(e, "alice", "data2", "write", true);
// adding deny policy for alice for the same obj,
// to ensure that if there is at least one deny, final result will be deny.
e.AddPolicy("5", "alice", "data2", "write", "deny");
TestEnforce(e, "alice", "data2", "write", false);
// adding higher fake higher priority policy for alice,
// expected enforcement result should be true (ignore this policy).
e.AddPolicy("2", "alice", "data2", "write", "allow");
TestEnforce(e, "alice", "data2", "write", true);
e.AddPolicy("1", "fake-subject", "fake-object", "very-fake-action", "allow");
TestEnforce(e, "alice", "data2", "write", true);
// adding higher (less of 0) priority policy for alice,
// to override group policies again.
e.AddPolicy("-1", "alice", "data2", "write", "deny");
TestEnforce(e, "alice", "data2", "write", false);
}
public void TestGetImplicitUsersForPermission()
{
// Arrange
var e = new Enforcer(TestModelFixture.GetNewTestModel(
_testModelFixture._rbacModelText,
_testModelFixture._rbacWithHierarchyPolicyText));
e.BuildRoleLinks();
Assert.Equal(new[] { "alice" }, e.GetImplicitUsersForPermission("data1", "read"));
Assert.Equal(new[] { "alice" }, e.GetImplicitUsersForPermission("data1", "write"));
Assert.Equal(new[] { "alice" }, e.GetImplicitUsersForPermission("data2", "read"));
Assert.Equal(new[] { "alice", "bob" }, e.GetImplicitUsersForPermission("data2", "write"));
// Act
e.GetModel().ClearPolicy();
_ = e.AddPolicy("admin", "data1", "read");
_ = e.AddPolicy("bob", "data1", "read");
_ = e.AddGroupingPolicy("alice", "admin");
// Assert
Assert.Equal(new[] { "bob", "alice" }, e.GetImplicitUsersForPermission("data1", "read"));
}
