public void TestModifyGroupingPolicy() { var e = new Enforcer(_testModelFixture.GetNewRbacTestModel()); e.BuildRoleLinks(); TestGetRoles(e, "alice", AsList("data2_admin")); TestGetRoles(e, "bob", AsList()); TestGetRoles(e, "eve", AsList()); TestGetRoles(e, "non_exist", AsList()); e.RemoveGroupingPolicy("alice", "data2_admin"); e.AddGroupingPolicy("bob", "data1_admin"); e.AddGroupingPolicy("eve", "data3_admin"); var groupingRules = AsList( AsList("ham", "data4_admin"), AsList("jack", "data5_admin") ); _ = e.AddGroupingPolicies(groupingRules); TestGetRoles(e, "ham", AsList("data4_admin")); TestGetRoles(e, "jack", AsList("data5_admin")); _ = e.RemoveGroupingPolicies(groupingRules); TestGetRoles(e, "alice", AsList()); var namedGroupingPolicy = AsList("alice", "data2_admin"); TestGetRoles(e, "alice", AsList()); e.AddNamedGroupingPolicy("g", namedGroupingPolicy); TestGetRoles(e, "alice", AsList("data2_admin")); e.RemoveNamedGroupingPolicy("g", namedGroupingPolicy); TestGetRoles(e, "alice", AsList()); TestGetRoles(e, "bob", AsList("data1_admin")); TestGetRoles(e, "eve", AsList("data3_admin")); TestGetRoles(e, "non_exist", AsList()); TestGetUsers(e, "data1_admin", AsList("bob")); TestGetUsers(e, "data2_admin", AsList()); TestGetUsers(e, "data3_admin", AsList("eve")); e.RemoveFilteredGroupingPolicy(0, "bob"); TestGetRoles(e, "alice", AsList()); TestGetRoles(e, "bob", AsList()); TestGetRoles(e, "eve", AsList("data3_admin")); TestGetRoles(e, "non_exist", AsList()); TestGetUsers(e, "data1_admin", AsList()); TestGetUsers(e, "data2_admin", AsList()); TestGetUsers(e, "data3_admin", AsList("eve")); }
public void TestRbacModelWithCustomData() { var e = new Enforcer(_testModelFixture.GetNewRbacTestModel()); e.BuildRoleLinks(); // You can add custom data to a grouping policy, Casbin will ignore it. It is only meaningful to the caller. // This feature can be used to store information like whether "bob" is an end user (so no subject will inherit "bob") // For Casbin, it is equivalent to: e.addGroupingPolicy("bob", "data2_admin") e.AddGroupingPolicy("bob", "data2_admin", "custom_data"); TestEnforce(e, "alice", "data1", "read", true); TestEnforce(e, "alice", "data1", "write", false); TestEnforce(e, "alice", "data2", "read", true); TestEnforce(e, "alice", "data2", "write", true); TestEnforce(e, "bob", "data1", "read", false); TestEnforce(e, "bob", "data1", "write", false); TestEnforce(e, "bob", "data2", "read", true); TestEnforce(e, "bob", "data2", "write", true); // You should also take the custom data as a parameter when deleting a grouping policy. // e.removeGroupingPolicy("bob", "data2_admin") won't work. // Or you can remove it by using removeFilteredGroupingPolicy(). e.RemoveGroupingPolicy("bob", "data2_admin", "custom_data"); TestEnforce(e, "alice", "data1", "read", true); TestEnforce(e, "alice", "data1", "write", false); TestEnforce(e, "alice", "data2", "read", true); TestEnforce(e, "alice", "data2", "write", true); TestEnforce(e, "bob", "data1", "read", false); TestEnforce(e, "bob", "data1", "write", false); TestEnforce(e, "bob", "data2", "read", false); TestEnforce(e, "bob", "data2", "write", true); }
public void TestRbacModelWithDomainsAtRuntime() { var e = new Enforcer(TestModelFixture.GetNewTestModel(_testModelFixture._rbacWithDomainsModelText)); e.BuildRoleLinks(); e.AddPolicy("admin", "domain1", "data1", "read"); e.AddPolicy("admin", "domain1", "data1", "write"); e.AddPolicy("admin", "domain2", "data2", "read"); e.AddPolicy("admin", "domain2", "data2", "write"); e.AddGroupingPolicy("alice", "admin", "domain1"); e.AddGroupingPolicy("bob", "admin", "domain2"); TestDomainEnforce(e, "alice", "domain1", "data1", "read", true); TestDomainEnforce(e, "alice", "domain1", "data1", "write", true); TestDomainEnforce(e, "alice", "domain1", "data2", "read", false); TestDomainEnforce(e, "alice", "domain1", "data2", "write", false); TestDomainEnforce(e, "bob", "domain2", "data1", "read", false); TestDomainEnforce(e, "bob", "domain2", "data1", "write", false); TestDomainEnforce(e, "bob", "domain2", "data2", "read", true); TestDomainEnforce(e, "bob", "domain2", "data2", "write", true); // Remove all policy rules related to domain1 and data1. e.RemoveFilteredPolicy(1, "domain1", "data1"); TestDomainEnforce(e, "alice", "domain1", "data1", "read", false); TestDomainEnforce(e, "alice", "domain1", "data1", "write", false); TestDomainEnforce(e, "alice", "domain1", "data2", "read", false); TestDomainEnforce(e, "alice", "domain1", "data2", "write", false); TestDomainEnforce(e, "bob", "domain2", "data1", "read", false); TestDomainEnforce(e, "bob", "domain2", "data1", "write", false); TestDomainEnforce(e, "bob", "domain2", "data2", "read", true); TestDomainEnforce(e, "bob", "domain2", "data2", "write", true); // Remove the specified policy rule. e.RemovePolicy("admin", "domain2", "data2", "read"); TestDomainEnforce(e, "alice", "domain1", "data1", "read", false); TestDomainEnforce(e, "alice", "domain1", "data1", "write", false); TestDomainEnforce(e, "alice", "domain1", "data2", "read", false); TestDomainEnforce(e, "alice", "domain1", "data2", "write", false); TestDomainEnforce(e, "bob", "domain2", "data1", "read", false); TestDomainEnforce(e, "bob", "domain2", "data1", "write", false); TestDomainEnforce(e, "bob", "domain2", "data2", "read", false); TestDomainEnforce(e, "bob", "domain2", "data2", "write", true); }
public void Test_RBACModelWithDomainsAtRuntime() { Enforcer e = new Enforcer("examples/rbac_with_domains_model.conf"); e.AddPolicy("admin", "domain1", "data1", "read"); e.AddPolicy("admin", "domain1", "data1", "write"); e.AddPolicy("admin", "domain2", "data2", "read"); e.AddPolicy("admin", "domain2", "data2", "write"); e.AddGroupingPolicy("alice", "admin", "domain1"); e.AddGroupingPolicy("bob", "admin", "domain2"); TestDomainEnforce(e, "alice", "domain1", "data1", "read", true); TestDomainEnforce(e, "alice", "domain1", "data1", "write", true); TestDomainEnforce(e, "alice", "domain1", "data2", "read", false); TestDomainEnforce(e, "alice", "domain1", "data2", "write", false); TestDomainEnforce(e, "bob", "domain2", "data1", "read", false); TestDomainEnforce(e, "bob", "domain2", "data1", "write", false); TestDomainEnforce(e, "bob", "domain2", "data2", "read", true); TestDomainEnforce(e, "bob", "domain2", "data2", "write", true); // Remove all policy rules related to domain1 and data1. e.RemoveFilteredPolicy(1, "domain1", "data1"); TestDomainEnforce(e, "alice", "domain1", "data1", "read", false); TestDomainEnforce(e, "alice", "domain1", "data1", "write", false); TestDomainEnforce(e, "alice", "domain1", "data2", "read", false); TestDomainEnforce(e, "alice", "domain1", "data2", "write", false); TestDomainEnforce(e, "bob", "domain2", "data1", "read", false); TestDomainEnforce(e, "bob", "domain2", "data1", "write", false); TestDomainEnforce(e, "bob", "domain2", "data2", "read", true); TestDomainEnforce(e, "bob", "domain2", "data2", "write", true); // Remove the specified policy rule. e.RemovePolicy("admin", "domain2", "data2", "read"); TestDomainEnforce(e, "alice", "domain1", "data1", "read", false); TestDomainEnforce(e, "alice", "domain1", "data1", "write", false); TestDomainEnforce(e, "alice", "domain1", "data2", "read", false); TestDomainEnforce(e, "alice", "domain1", "data2", "write", false); TestDomainEnforce(e, "bob", "domain2", "data1", "read", false); TestDomainEnforce(e, "bob", "domain2", "data1", "write", false); TestDomainEnforce(e, "bob", "domain2", "data2", "read", false); TestDomainEnforce(e, "bob", "domain2", "data2", "write", true); }
public void TestModifyGroupingPolicyAPI() { Enforcer e = new Enforcer("examples/rbac_model.conf", "examples/rbac_policy.csv"); TestGetRoles(e, "alice", AsList("data2_admin")); TestGetRoles(e, "bob", AsList()); TestGetRoles(e, "eve", AsList()); TestGetRoles(e, "non_exist", AsList()); e.RemoveGroupingPolicy("alice", "data2_admin"); e.AddGroupingPolicy("bob", "data1_admin"); e.AddGroupingPolicy("eve", "data3_admin"); List <String> namedGroupingPolicy = AsList("alice", "data2_admin"); TestGetRoles(e, "alice", AsList()); e.AddNamedGroupingPolicy("g", namedGroupingPolicy); TestGetRoles(e, "alice", AsList("data2_admin")); e.RemoveNamedGroupingPolicy("g", namedGroupingPolicy); TestGetRoles(e, "alice", AsList()); TestGetRoles(e, "bob", AsList("data1_admin")); TestGetRoles(e, "eve", AsList("data3_admin")); TestGetRoles(e, "non_exist", AsList()); TestGetUsers(e, "data1_admin", AsList("bob")); TestGetUsers(e, "data2_admin", AsList()); TestGetUsers(e, "data3_admin", AsList("eve")); e.RemoveFilteredGroupingPolicy(0, "bob"); TestGetRoles(e, "alice", AsList()); TestGetRoles(e, "bob", AsList()); TestGetRoles(e, "eve", AsList("data3_admin")); TestGetRoles(e, "non_exist", AsList()); TestGetUsers(e, "data1_admin", AsList()); TestGetUsers(e, "data2_admin", AsList()); TestGetUsers(e, "data3_admin", AsList("eve")); }
public void TestPriorityExplicitDenyOverrideModel() { var e = new Enforcer(_testModelFixture.GetNewPriorityExplicitDenyOverrideModel()); e.BuildRoleLinks(); TestEnforce(e, "alice", "data2", "write", true); TestEnforce(e, "bob", "data2", "read", true); // adding a new group, simulating behaviour when two different groups are added to the same person. e.AddPolicy("10", "data2_deny_group_new", "data2", "write", "deny"); e.AddGroupingPolicy("alice", "data2_deny_group_new"); TestEnforce(e, "alice", "data2", "write", false); TestEnforce(e, "bob", "data2", "read", true); // expected enforcement result should be true, // as there is a policy with a lower rank 10, that produces allow result. e.AddPolicy("5", "alice", "data2", "write", "allow"); TestEnforce(e, "alice", "data2", "write", true); // adding deny policy for alice for the same obj, // to ensure that if there is at least one deny, final result will be deny. e.AddPolicy("5", "alice", "data2", "write", "deny"); TestEnforce(e, "alice", "data2", "write", false); // adding higher fake higher priority policy for alice, // expected enforcement result should be true (ignore this policy). e.AddPolicy("2", "alice", "data2", "write", "allow"); TestEnforce(e, "alice", "data2", "write", true); e.AddPolicy("1", "fake-subject", "fake-object", "very-fake-action", "allow"); TestEnforce(e, "alice", "data2", "write", true); // adding higher (less of 0) priority policy for alice, // to override group policies again. e.AddPolicy("-1", "alice", "data2", "write", "deny"); TestEnforce(e, "alice", "data2", "write", false); }
public void TestGetImplicitUsersForPermission() { // Arrange var e = new Enforcer(TestModelFixture.GetNewTestModel( _testModelFixture._rbacModelText, _testModelFixture._rbacWithHierarchyPolicyText)); e.BuildRoleLinks(); Assert.Equal(new[] { "alice" }, e.GetImplicitUsersForPermission("data1", "read")); Assert.Equal(new[] { "alice" }, e.GetImplicitUsersForPermission("data1", "write")); Assert.Equal(new[] { "alice" }, e.GetImplicitUsersForPermission("data2", "read")); Assert.Equal(new[] { "alice", "bob" }, e.GetImplicitUsersForPermission("data2", "write")); // Act e.GetModel().ClearPolicy(); _ = e.AddPolicy("admin", "data1", "read"); _ = e.AddPolicy("bob", "data1", "read"); _ = e.AddGroupingPolicy("alice", "admin"); // Assert Assert.Equal(new[] { "bob", "alice" }, e.GetImplicitUsersForPermission("data1", "read")); }