Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RBAC with domain and domain pattern returns invalid results #147

Closed
Nalweakette opened this issue Nov 14, 2023 · 4 comments
Closed

RBAC with domain and domain pattern returns invalid results #147

Nalweakette opened this issue Nov 14, 2023 · 4 comments
Labels
bug Something isn't working

Comments

@Nalweakette
Copy link

Nalweakette commented Nov 14, 2023
edited

When using model with keymatch, the role manager doesn't create links like it is supposed to do, giving invalid enforce result. RoleManager used to work when it was a "clone" of the node.js version, but broke when it was reworked on this commit a409154

Also note that now buildRoleLinks() must be called to have some "good" results

How to reproduce:

======================================================================
model.conf

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub, r.dom) && keyMatch(r.dom, p.dom) && r.obj == p.obj && r.act == p.act

======================================================================
policies.csv

p,perm1,,data1,read
p,perm2,,data1,write
p,perm3,,data2,read
p,perm4,,data2,write

g,adminrole,perm1,*
g,adminrole,perm2,*
g,adminrole,perm3,*
g,adminrole,perm4,*
g,readerrole,perm1,*
g,readerrole,perm3,*

g,admingroup, adminrole, *
g,readergroup, readerrole, *

g,usergroup4, readergroup, domain4
g,usergroup4, perm4, domain4

g,alice,admingroup,domain1
g,alice,readergroup,domain2
g,alice,readergroup,domain4

======================================================================

result tests in https://casbin.org/editor/

alice, domain1, data1, read => true
alice, domain1, data1, write => true
alice, domain1, data2, read => true
alice, domain1, data2, write => true
bob, domain1, data2, write => false
alice, domain2, data1, read => true
alice, domain2, data1, write => false
alice, domain2, data2, read => true
alice, domain2, data2, write => false
alice, domain3, data1, read => false
alice, domain3, data1, write => false
alice, domain3, data2, read => false
alice, domain3, data2, write => false
alice, domain4, data1, write => false
alice, domain4, data1, read => true
alice, domain4, data2, read => true
alice, domain4, data2, write => true

======================================================================

end to end to in EnforcerTest.php

public function testRbacWithDomain()
{
    $e = new Enforcer(
        $this->modelAndPolicyPath . '/rbac_with_domain_pattern_model_and_keymatch_model.conf',
        $this->modelAndPolicyPath . '/rbac_with_domain_pattern_model_and_keymatch_policy.csv'
    );

    $e->addNamedDomainMatchingFunc('g', 'keyMatch', function (string $key1, string $key2) {
        return BuiltinOperations::keyMatch($key1, $key2);
    });

   // NOTE : without $e->buildRoleLinks(); everything is false;
   // WITH $e->buildRoleLinks(); everything is true
   $e->buildRoleLinks();

    $this->assertTrue($e->enforce('alice', 'domain1', 'data1', 'read'));
    $this->assertTrue($e->enforce('alice', 'domain1', 'data1', 'write'));
    $this->assertTrue($e->enforce('alice', 'domain1', 'data2', 'read'));
    $this->assertTrue($e->enforce('alice', 'domain1', 'data2', 'write'));

    $this->assertTrue($e->enforce('alice',  'domain2', 'data1', 'read'));
    $this->assertFalse($e->enforce('alice', 'domain2', 'data1', 'write'));
    $this->assertTrue($e->enforce('alice',  'domain2', 'data2', 'read'));
    $this->assertFalse($e->enforce('alice', 'domain2', 'data2', 'write'));

    $this->assertFalse($e->enforce('alice', 'domain3', 'data1', 'read'));
    $this->assertFalse($e->enforce('alice', 'domain3', 'data1', 'write'));
    $this->assertFalse($e->enforce('alice', 'domain3', 'data2', 'read'));
    $this->assertFalse($e->enforce('alice', 'domain3', 'data2', 'write'));

    $this->assertFalse($e->enforce('alice', 'domain4', 'data1', 'write'));
    $this->assertTrue($e->enforce('alice', 'domain4', 'data1', 'read'));
    $this->assertTrue($e->enforce('alice', 'domain4', 'data2', 'read'));
    $this->assertTrue($e->enforce('alice', 'domain4', 'data2', 'write'));
}

======================================================================

Results are all true, or all false. They doesn't match online editor
@Mangetsu Mangetsu mentioned this issue Nov 14, 2023
Closed
@woprrr
Copy link

woprrr commented Nov 14, 2023

+1 to me I'm fairy interested by That @leeqvip or @basakest it's a really nice catch to fix what's your opinion ?

Nalweakette pushed a commit to bbouchezitroom/php-casbin that referenced this issue Nov 20, 2023
fix: fixed rbac with domain and pattern (php-casbin#147)
476d116
Nalweakette pushed a commit to bbouchezitroom/php-casbin that referenced this issue Nov 20, 2023
fix: fixed rbac with domain and pattern (php-casbin#147)
3e07e81 
removed spaces in policy file
added missing space at end of file
Nalweakette pushed a commit to bbouchezitroom/php-casbin that referenced this issue Nov 20, 2023
fix: fixed rbac with domain and pattern (php-casbin#147)
3059fa0 
added missing space at end of file
Nalweakette pushed a commit to bbouchezitroom/php-casbin that referenced this issue Nov 20, 2023
fix: fixed rbac with domain and pattern (php-casbin#147)
1118ec1 
added missing space at end of file
Nalweakette pushed a commit to bbouchezitroom/php-casbin that referenced this issue Nov 20, 2023
fix: fixed rbac with domain and pattern (php-casbin#147)
9f371f1 
added yield to unit test
Nalweakette pushed a commit to bbouchezitroom/php-casbin that referenced this issue Nov 20, 2023
fix: fixed rbac with domain and pattern (php-casbin#147)
307a34f 
added missing eol
@leeqvip leeqvip added the bug Something isn't working label Nov 23, 2023
@hsluoyz
Copy link
Member

hsluoyz commented Nov 29, 2023

@leeqvip can we revoke this PR? #120

@leeqvip
Copy link
Member

leeqvip commented Nov 30, 2023
edited

@Nalweakette
It has been fixed in v3.21.4, but this is not the final solution.
It should be pointed out that for blank domain names in the policies, use * instead.

p,perm1,*,data1,read
p,perm2,*,data1,write
p,perm3,*,data2,read
p,perm4,*,data2,write
...

@hsluoyz
Copy link
Member

hsluoyz commented May 29, 2024

Closed as resolved

@hsluoyz hsluoyz closed this as completed May 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hsluoyz @woprrr @Nalweakette @leeqvip