-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How can I design a matcher that looks for membership in two (g & g2) role_definitions? #1384
Comments
Sadly that's not so simple as you expect. Your model is more likely a RBAC with Domains model, since there is no relationship between Anyway, here is a working solution. model:
policy:
code: func Test_1384(t *testing.T) {
e, _ := NewEnforcer("examples/rbac_model.conf", "examples/rbac_policy.csv")
testMultiDomainEnforce := func(t *testing.T, e *Enforcer, sub, obj, act string, res bool) {
t.Helper()
res1, err := e.Enforce(sub, "role", obj, act)
if err != nil {
t.Errorf("Enforce Error: %s", err)
return
}
res2, err := e.Enforce(sub, "entitlement", obj, act)
if err != nil {
t.Errorf("Enforce Error: %s", err)
return
}
if res != res1 && res2 {
t.Errorf("%s, %s, %s: %t %t, supposed to be %t", sub, obj, act, res1, res2, res)
}
// Pass
}
testMultiDomainEnforce(t, e, "alice", "basic_feature", "read", true)
testMultiDomainEnforce(t, e, "alice", "basic_feature", "write", true)
testMultiDomainEnforce(t, e, "alice", "premium_feature", "read", true)
testMultiDomainEnforce(t, e, "alice", "premium_feature", "write", true)
testMultiDomainEnforce(t, e, "bob", "basic_feature", "read", true)
testMultiDomainEnforce(t, e, "bob", "basic_feature", "write", true)
testMultiDomainEnforce(t, e, "bob", "premium_feature", "read", false)
testMultiDomainEnforce(t, e, "bob", "premium_feature", "write", false)
testMultiDomainEnforce(t, e, "charlie", "basic_feature", "read", true)
testMultiDomainEnforce(t, e, "charlie", "basic_feature", "write", false)
testMultiDomainEnforce(t, e, "charlie", "premium_feature", "read", true)
testMultiDomainEnforce(t, e, "charlie", "premium_feature", "write", false)
testMultiDomainEnforce(t, e, "derek", "basic_feature", "read", true)
testMultiDomainEnforce(t, e, "derek", "basic_feature", "write", false)
testMultiDomainEnforce(t, e, "derek", "premium_feature", "read", false)
testMultiDomainEnforce(t, e, "derek", "premium_feature", "write", false)
} |
appreciated! |
Want to prioritize this issue? Try:
What's your scenario? What do you want to achieve?
I would like to model a set of roles and entitlements to match when a user is granted both the role & entitlement offering a specific permission.
In other words:
e.g. the "admin" role offers access to everything in the app, but an actual admin user only has access to
premium_feature
if they have thepremium_entitlement
as wellI'm pretty sure I am just using the matchers wrong... I can us
g
to determine match for role access &g2
to match for entitlement access successfully, however I am having trouble putting those two matchers together to match only when both evaluate to trueYour model:
Your policy:
Your request(s):
The text was updated successfully, but these errors were encountered: