casbin-ruby 1.0.3 → 1.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 13ea0fa54ac74dc4353530fdfb64ffc8241549538d53ec4b4290e5eeb1a296ee
-  data.tar.gz: 7a6998a5026d11064a6d4f33d607a487c72fff0a26283ea04cada62858ca652e
+  metadata.gz: 52a08bf07cc4d7925f0e23993f1745f1cf69585ba941138c12f88ca3498705b1
+  data.tar.gz: 1db55f6ab3c6e853ae2f84271b08f1c67d795ea5c86afb9e7b84d94091dd9ddc
 SHA512:
-  metadata.gz: 3b200f1e9e6ad4e337c5a5afc0459a7fbb7cfca07d5ce6c599de908df8702aa6b8f576f974c8087de66ac974d665438652ef80d011ba7b91fb80d7c55d749fee
-  data.tar.gz: b1e3111991dbc4ab58fc28dc57b3ff70d4cdbf2f40d0690d20bd061b344ada0ad8471e04421034051410bf11023d2d961e20427b8f09e93f4a5664ed6b6fc6dc
+  metadata.gz: 3eaa9572203f449d6b653d725a05ef7c59f42bc9cd34d3ee7ef55afe63f1a933951934a63131aa0b7eb4d117b524f105561ce84e805a9617df976e35a3894ab4
+  data.tar.gz: dcc181227a68e920b78b705eb018a0b23a69417e8408c6014a2c22c05243ac08787a518efa73918e4266291c3a8f6b52dbd3ad2ce4ffb4b40743cdd0e0e0a2dd

data/README.md

@@ -0,0 +1,242 @@
+Casbin for Ruby
+====
+
+[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/casbin/lobby)
+
+**News**: still worry about how to write the correct Casbin policy? ``Casbin online editor`` is coming to help! Try it
+at: http://casbin.org/editor/
+
+Casbin is a powerful and efficient open-source access control library for Ruby projects. It provides support for
+enforcing authorization based on various [access control models](https://en.wikipedia.org/wiki/Computer_security_model).
+
+## All the languages supported by Casbin:
+
+[![golang](https://casbin.org/img/langs/golang.png)](https://github.com/casbin/casbin) | [![java](https://casbin.org/img/langs/java.png)](https://github.com/casbin/jcasbin) | [![nodejs](https://casbin.org/img/langs/nodejs.png)](https://github.com/casbin/node-casbin)
+----|----|----
+[Casbin](https://github.com/casbin/casbin) | [jCasbin](https://github.com/casbin/jcasbin) | [node-Casbin](https://github.com/casbin/node-casbin)
+production-ready | production-ready | production-ready
+[![php](https://casbin.org/img/langs/php.png)](https://github.com/php-casbin/php-casbin) | [![python](https://casbin.org/img/langs/python.png)](https://github.com/casbin/pycasbin) | [![dotnet](https://casbin.org/img/langs/dotnet.png)](https://github.com/casbin-net/Casbin.NET)
+[PHP-Casbin](https://github.com/php-casbin/php-casbin)|[PyCasbin](https://github.com/casbin/pycasbin) | [Casbin.NET](https://github.com/casbin-net/Casbin.NET)
+production-ready | production-ready | production-ready
+| [![c++](https://casbin.org/img/langs/cpp.png)](https://github.com/casbin/casbin-cpp) | [![rust](https://casbin.org/img/langs/rust.png)](https://github.com/casbin/casbin-rs) | [![Ruby](ruby.jpg)](https://github.com/evrone/casbin-ruby)|
+[Casbin-CPP](https://github.com/casbin/casbin-cpp) | [Casbin-RS](https://github.com/casbin/casbin-rs) | [Ruby Casbin](https://github.com/evrone/casbin-ruby)
+beta-test | production-ready | development
+
+## Table of contents
+
+- [Supported models](#supported-models)
+- [How it works?](#how-it-works)
+- [Features](#features)
+- [Installation](#installation)
+- [Documentation](#documentation)
+- [Online editor](#online-editor)
+- [Tutorials](#tutorials)
+- [Get started](#get-started)
+- [Policy management](#policy-management)
+- [Policy persistence](#policy-persistence)
+- [Role manager](#role-manager)
+- [Benchmarks](#benchmarks)
+- [Examples](#examples)
+- [Middlewares](#middlewares)
+- [Our adopters](#our-adopters)
+
+## Supported models
+
+1. [**ACL (Access Control List)**](https://en.wikipedia.org/wiki/Access_control_list)
+2. **ACL with [superuser](https://en.wikipedia.org/wiki/Superuser)**
+3. **ACL without users**: especially useful for systems that don't have authentication or user log-ins.
+3. **ACL without resources**: some scenarios may target for a type of resources instead of an individual resource by using permissions like ``write-article``, ``read-log``. It doesn't control the access to a specific article or log.
+4. **[RBAC (Role-Based Access Control)](https://en.wikipedia.org/wiki/Role-based_access_control)**
+5. **RBAC with resource roles**: both users and resources can have roles (or groups) at the same time.
+6. **RBAC with domains/tenants**: users can have different role sets for different domains/tenants.
+7. **[ABAC (Attribute-Based Access Control)](https://en.wikipedia.org/wiki/Attribute-Based_Access_Control)**: syntax sugar like ``resource.Owner`` can be used to get the attribute for a resource.
+8. **[RESTful](https://en.wikipedia.org/wiki/Representational_state_transfer)**: supports paths like ``/res/*``, ``/res/:id`` and HTTP methods like ``GET``, ``POST``, ``PUT``, ``DELETE``.
+9. **Deny-override**: both allow and deny authorizations are supported, deny overrides the allow.
+10. **Priority**: the policy rules can be prioritized like firewall rules.
+
+## How it works?
+
+In Casbin, an access control model is abstracted into a CONF file based on the **PERM metamodel (Policy, Effect, Request, Matchers)**. So switching or upgrading the authorization mechanism for a project is just as simple as modifying a configuration. You can customize your own access control model by combining the available models. For example, you can get RBAC roles and ABAC attributes together inside one model and share one set of policy rules.
+
+The most basic and simplest model in Casbin is ACL. ACL's model CONF is:
+
+```ini
+# Request definition
+[request_definition]
+r = sub, obj, act
+
+# Policy definition
+[policy_definition]
+p = sub, obj, act
+
+# Policy effect
+[policy_effect]
+e = some(where (p.eft == allow))
+
+# Matchers
+[matchers]
+m = r.sub == p.sub && r.obj == p.obj && r.act == p.act
+
+```
+
+An example policy for ACL model is like:
+
+```
+p, alice, data1, read
+p, bob, data2, write
+```
+
+It means:
+
+- alice can read data1
+- bob can write data2
+
+We also support multi-line mode by appending '\\'  in the end:
+
+```ini
+# Matchers
+[matchers]
+m = r.sub == p.sub && r.obj == p.obj \
+  && r.act == p.act
+```
+
+Further more, if you are using ABAC,  you can try operator `in` like following in Casbin **golang** edition (jCasbin and Node-Casbin are not supported yet):
+
+```ini
+# Matchers
+[matchers]
+m = r.obj == p.obj && r.act == p.act || r.obj in ('data2', 'data3')
+```
+
+But you **SHOULD** make sure that the length of the array is **MORE** than **1**, otherwise there will cause it to panic.
+
+For more operators, you may take a look at [govaluate](https://github.com/Knetic/govaluate)
+
+## Features
+
+What Casbin does:
+
+1. enforce the policy in the classic ``{subject, object, action}`` form or a customized form as you defined, both allow and deny authorizations are supported.
+2. handle the storage of the access control model and its policy.
+3. manage the role-user mappings and role-role mappings (aka role hierarchy in RBAC).
+4. support built-in superuser like ``root`` or ``administrator``. A superuser can do anything without explict permissions.
+5. multiple built-in operators to support the rule matching. For example, ``keyMatch`` can map a resource key ``/foo/bar`` to the pattern ``/foo*``.
+
+What Casbin does NOT do:
+
+1. authentication (aka verify ``username`` and ``password`` when a user logs in)
+2. manage the list of users or roles. I believe it's more convenient for the project itself to manage these entities. Users usually have their passwords, and Casbin is not designed as a password container. However, Casbin stores the user-role mapping for the RBAC scenario.
+
+## Installation
+
+```
+gem 'casbin', github: 'evrone/casbin-ruby'
+```
+
+## Documentation
+
+https://casbin.org/docs/en/overview
+
+## Online editor
+
+You can also use the online editor (http://casbin.org/editor/) to write your Casbin model and policy in your web browser. It provides functionality such as ``syntax highlighting`` and ``code completion``, just like an IDE for a programming language.
+
+## Tutorials
+
+https://casbin.org/docs/en/tutorials
+
+## Get started
+
+1. New a Casbin enforcer with a model file and a policy file:
+
+```ruby
+# TODO: correct `require`
+require 'casbin'
+enforcer = Casbin::Enforcer.new("path/to/model.conf", "path/to/policy.csv")
+```
+
+Note: you can also initialize an enforcer with policy in DB instead of file, see [Persistence](#persistence) section for details.
+
+2. Add an enforcement hook into your code right before the access happens:
+
+```ruby
+sub = 'alice'  # the user that wants to access a resource.
+obj = 'data1'  # the resource that is going to be accessed.
+act = 'read'  # the operation that the user performs on the resource.
+
+if enforcer.enforce(sub, obj, act)
+  # permit alice to read data1
+  # do something
+else
+  # deny the request, show an error
+end
+```
+
+3. Besides the static policy file, Casbin also provides API for permission management at run-time. For example, You can get all the roles assigned to a user as below:
+
+```ruby
+roles = enforcer.get_roles_for_user('alice')
+```
+
+See [Policy management APIs](#policy-management) for more usage.
+
+4. Please refer to the ``spec/support/files/examples`` files for more usage.
+
+## Policy management
+
+Casbin provides two sets of APIs to manage permissions:
+
+- [Management API](https://github.com/casbin/casbin/blob/master/management_api.go): the primitive API that provides full support for Casbin policy management. See [here](https://github.com/casbin/casbin/blob/master/management_api_test.go) for examples.
+- [RBAC API](https://github.com/casbin/casbin/blob/master/rbac_api.go): a more friendly API for RBAC. This API is a subset of Management API. The RBAC users could use this API to simplify the code. See [here](https://github.com/casbin/casbin/blob/master/rbac_api_test.go) for examples.
+
+We also provide a web-based UI for model management and policy management:
+
+![model editor](https://hsluoyz.github.io/casbin/ui_model_editor.png)
+
+![policy editor](https://hsluoyz.github.io/casbin/ui_policy_editor.png)
+
+## Policy persistence
+
+https://casbin.org/docs/en/adapters
+
+## Role manager
+
+https://casbin.org/docs/en/role-managers
+
+## Benchmarks
+
+https://casbin.org/docs/en/benchmark
+
+## Examples
+
+Model | Model file | Policy file
+----|------|----
+ACL | [basic_model.conf](https://github.com/casbin/casbin/blob/master/examples/basic_model.conf) | [basic_policy.csv](https://github.com/casbin/casbin/blob/master/examples/basic_policy.csv)
+ACL with superuser | [basic_model_with_root.conf](https://github.com/casbin/casbin/blob/master/examples/basic_with_root_model.conf) | [basic_policy.csv](https://github.com/casbin/casbin/blob/master/examples/basic_policy.csv)
+ACL without users | [basic_model_without_users.conf](https://github.com/casbin/casbin/blob/master/examples/basic_without_users_model.conf) | [basic_policy_without_users.csv](https://github.com/casbin/casbin/blob/master/examples/basic_without_users_policy.csv)
+ACL without resources | [basic_model_without_resources.conf](https://github.com/casbin/casbin/blob/master/examples/basic_without_resources_model.conf) | [basic_policy_without_resources.csv](https://github.com/casbin/casbin/blob/master/examples/basic_without_resources_policy.csv)
+RBAC | [rbac_model.conf](https://github.com/casbin/casbin/blob/master/examples/rbac_model.conf)  | [rbac_policy.csv](https://github.com/casbin/casbin/blob/master/examples/rbac_policy.csv)
+RBAC with resource roles | [rbac_model_with_resource_roles.conf](https://github.com/casbin/casbin/blob/master/examples/rbac_with_resource_roles_model.conf)  | [rbac_policy_with_resource_roles.csv](https://github.com/casbin/casbin/blob/master/examples/rbac_with_resource_roles_policy.csv)
+RBAC with domains/tenants | [rbac_model_with_domains.conf](https://github.com/casbin/casbin/blob/master/examples/rbac_with_domains_model.conf)  | [rbac_policy_with_domains.csv](https://github.com/casbin/casbin/blob/master/examples/rbac_with_domains_policy.csv)
+ABAC | [abac_model.conf](https://github.com/casbin/casbin/blob/master/examples/abac_model.conf)  | N/A
+RESTful | [keymatch_model.conf](https://github.com/casbin/casbin/blob/master/examples/keymatch_model.conf)  | [keymatch_policy.csv](https://github.com/casbin/casbin/blob/master/examples/keymatch_policy.csv)
+Deny-override | [rbac_model_with_deny.conf](https://github.com/casbin/casbin/blob/master/examples/rbac_with_deny_model.conf)  | [rbac_policy_with_deny.csv](https://github.com/casbin/casbin/blob/master/examples/rbac_with_deny_policy.csv)
+Priority | [priority_model.conf](https://github.com/casbin/casbin/blob/master/examples/priority_model.conf)  | [priority_policy.csv](https://github.com/casbin/casbin/blob/master/examples/priority_policy.csv)
+
+## Middlewares
+
+In process
+
+## Adopters
+
+In process
+
+## Contributors
+
+## License
+
+## Contact
+
+If you have any issues or feature requests, please contact us. PR is welcomed.
+- https://github.com/evrone/casbin-ruby/issues
+

data/lib/casbin-ruby.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Casbin
+  require 'casbin-ruby/version'
+  require 'casbin-ruby/enforcer'
+  require 'casbin-ruby/synced_enforcer'
+
+  module Persist
+    require 'casbin-ruby/persist/adapter'
+  end
+end

data/lib/casbin-ruby/config/config.rb

@@ -0,0 +1,115 @@
+# frozen_string_literal: true
+
+# represents an implementation of the ConfigInterface
+module Casbin
+  module Config
+    class Config
+      # DEFAULT_SECTION specifies the name of a section if no name provided
+      DEFAULT_SECTION = 'default'
+      # DEFAULT_COMMENT defines what character(s) indicate a comment `#`
+      DEFAULT_COMMENT = '#'
+      # DEFAULT_COMMENT_SEM defines what alternate character(s) indicate a comment `;`
+      DEFAULT_COMMENT_SEM = ';'
+      # DEFAULT_MULTI_LINE_SEPARATOR defines what character indicates a multi-line content
+      DEFAULT_MULTI_LINE_SEPARATOR = '\\'
+
+      attr_reader :data
+
+      def initialize
+        @data = {}
+      end
+
+      def self.new_config(conf_name)
+        new.tap { |config| config.parse(conf_name) }
+      end
+
+      def self.new_config_from_text(text)
+        new.tap { |config| config.parse_from_io StringIO.new(text) }
+      end
+
+      def set(key, value)
+        raise 'key is empty' if key.to_s.size.zero?
+
+        keys = key.downcase.split('::')
+        if keys.size >= 2
+          section = keys[0]
+          option = keys[1]
+        else
+          section = ''
+          option = keys[0]
+        end
+
+        add_config(section, option, value)
+      end
+
+      # section.key or key
+      def get(key)
+        keys = key.to_s.downcase.split('::')
+        if keys.size >= 2
+          section = keys[0]
+          option = keys[1]
+        else
+          section = DEFAULT_SECTION
+          option = keys[0]
+        end
+
+        return '' unless data.key?(section)
+
+        data[section][option] || ''
+      end
+
+      def parse(conf_name)
+        return unless File.exist?(conf_name)
+
+        # 'r:UTF-8' required for Windows
+        File.open(conf_name, 'r:UTF-8') { |f| parse_from_io f }
+      end
+
+      def parse_from_io(io)
+        line_number = 0
+        section = ''
+        multi_line = ''
+
+        io.each_line do |raw|
+          line = raw.chomp
+          line_number += 1
+
+          next if line == '' || line[0] == DEFAULT_COMMENT || line[0] == DEFAULT_COMMENT_SEM
+          next section = line[1...-1] if line[0] == '[' && line[-1] == ']'
+
+          if line[-1] == DEFAULT_MULTI_LINE_SEPARATOR && line.strip.size > 1
+            part = line[0...-1].strip
+            multi_line = multi_line == '' ? part : "#{multi_line} #{part}"
+            next
+          end
+
+          if multi_line == ''
+            write(section, line, line_number)
+          else
+            multi_line += " #{line.strip}" unless line[-1] == DEFAULT_MULTI_LINE_SEPARATOR
+            write(section, multi_line, line_number)
+            multi_line = ''
+          end
+        end
+      end
+
+      def add_config(section, option, value)
+        section = DEFAULT_SECTION if section == ''
+        data[section] ||= {}
+        data[section][option] = value
+      end
+
+      private
+
+      def write(section, line, line_number)
+        option_val = line.split(' = ')
+        option_val[1] ||= '' # if empty value
+        raise "parse the content error : line #{line_number} , #{option_val[0]} = ?" unless option_val.size == 2
+
+        option = option_val[0].strip
+        value = option_val[1].strip
+        add_config(section, option, value)
+      end
+    end
+  end
+end

data/lib/casbin-ruby/core_enforcer.rb

@@ -0,0 +1,356 @@
+# frozen_string_literal: true
+
+require 'casbin-ruby/effect/default_effector'
+require 'casbin-ruby/effect/effector'
+require 'casbin-ruby/model/function_map'
+require 'casbin-ruby/model/model'
+require 'casbin-ruby/persist/adapters/file_adapter'
+require 'casbin-ruby/rbac/default_role_manager/role_manager'
+require 'casbin-ruby/util'
+require 'casbin-ruby/util/builtin_operators'
+require 'casbin-ruby/util/evaluator'
+
+require 'logger'
+
+module Casbin
+  # CoreEnforcer defines the core functionality of an enforcer.
+  # get_attr/set_attr methods is ported from Python as attr/attr=
+  class CoreEnforcer
+    def initialize(model = nil, adapter = nil, logger: Logger.new($stdout))
+      if model.is_a? String
+        if adapter.is_a? String
+          init_with_file(model, adapter, logger: logger)
+        else
+          init_with_adapter(model, adapter, logger: logger)
+        end
+      elsif adapter.is_a? String
+        raise 'Invalid parameters for enforcer.'
+      else
+        init_with_model_and_adapter(model, adapter, logger: logger)
+      end
+    end
+
+    attr_accessor :adapter, :auto_build_role_links, :auto_save, :effector, :enabled, :watcher, :rm_map
+    attr_reader :model
+
+    # initializes an enforcer with a model file and a policy file.
+    def init_with_file(model_path, policy_path, logger: Logger.new($stdout))
+      a = Persist::Adapters::FileAdapter.new(policy_path)
+      init_with_adapter(model_path, a, logger: logger)
+    end
+
+    # initializes an enforcer with a database adapter.
+    def init_with_adapter(model_path, adapter = nil, logger: Logger.new($stdout))
+      m = new_model(model_path)
+      init_with_model_and_adapter(m, adapter, logger: logger)
+
+      self.model_path = model_path
+    end
+
+    # initializes an enforcer with a model and a database adapter.
+    def init_with_model_and_adapter(m, adapter = nil, logger: Logger.new($stdout))
+      if !m.is_a?(Model::Model) || (!adapter.nil? && !adapter.is_a?(Persist::Adapter))
+        raise StandardError, 'Invalid parameters for enforcer.'
+      end
+
+      self.adapter = adapter
+
+      self.model = m
+      model.print_model
+      self.fm = Model::FunctionMap.load_function_map
+
+      init(logger: logger)
+
+      # Do not initialize the full policy when using a filtered adapter
+      load_policy if adapter && !filtered?
+    end
+
+    # creates a model.
+    def self.new_model(path = '', text = '', logger: Logger.new($stdout))
+      m = Model::Model.new logger: logger
+      if path.length.positive?
+        m.load_model(path)
+      else
+        m.load_model_from_text(text)
+      end
+
+      m
+    end
+
+    def new_model(*args)
+      self.class.new_model(*args)
+    end
+
+    # reloads the model from the model CONF file.
+    # Because the policy is attached to a model, so the policy is invalidated and needs to be reloaded by calling
+    # load_policy.
+    def load_model
+      self.model = new_model
+      model.load_model model_path
+      model.print_model
+      self.fm = Model::FunctionMap.load_function_map
+    end
+
+    # sets the current model.
+    def model=(m)
+      @model = m
+      self.fm = Model::FunctionMap.load_function_map
+    end
+
+    # gets the current role manager.
+    def role_manager
+      rm_map['g']
+    end
+
+    # sets the current role manager.
+    def role_manager=(rm)
+      rm_map['g'] = rm
+    end
+
+    # clears all policy.
+    def clear_policy
+      model.clear_policy
+    end
+
+    # reloads the policy from file/database.
+    def load_policy
+      model.clear_policy
+      adapter.load_policy model
+
+      init_rm_map
+      model.print_policy
+      build_role_links if auto_build_role_links
+    end
+
+    # reloads a filtered policy from file/database.
+    def load_filtered_policy(filter)
+      model.clear_policy
+
+      raise ArgumentError, 'filtered policies are not supported by this adapter' unless adapter.respond_to?(:filtered?)
+
+      adapter.load_filtered_policy(model, filter)
+      init_rm_map
+      model.print_policy
+      build_role_links if auto_build_role_links
+    end
+
+    # appends a filtered policy from file/database.
+    def load_increment_filtered_policy(filter)
+      raise ArgumentError, 'filtered policies are not supported by this adapter' unless adapter.respond_to?(:filtered?)
+
+      adapter.load_filtered_policy(model, filter)
+      model.print_policy
+      build_role_links if auto_build_role_links
+    end
+
+    # returns true if the loaded policy has been filtered.
+    def filtered?
+      adapter.respond_to?(:filtered?) && adapter.filtered?
+    end
+
+    def save_policy
+      raise 'cannot save a filtered policy' if filtered?
+
+      adapter.save_policy(model)
+
+      watcher&.update
+    end
+
+    alias enabled? enabled
+
+    # changes the enforcing state of Casbin,
+    # when Casbin is disabled, all access will be allowed by the Enforce() function.
+    def enable_enforce(enabled = true)
+      self.enabled = enabled
+    end
+
+    # controls whether to save a policy rule automatically to the adapter when it is added or removed.
+    def enable_auto_save(auto_save)
+      self.auto_save = auto_save
+    end
+
+    # controls whether to rebuild the role inheritance relations when a role is added or deleted.
+    def enable_auto_build_role_links(auto_build_role_links)
+      self.auto_build_role_links = auto_build_role_links
+    end
+
+    # manually rebuild the role inheritance relations.
+    def build_role_links
+      rm_map.each_value(&:clear)
+      model.build_role_links(rm_map)
+    end
+
+    # add_named_matching_func add MatchingFunc by ptype RoleManager
+    def add_named_matching_func(ptype, fn)
+      rm_map[ptype]&.add_matching_func(fn)
+    end
+
+    # add_named_domain_matching_func add MatchingFunc by ptype to RoleManager
+    def add_named_domain_matching_func(ptype, fn)
+      rm_map[ptype]&.add_domain_matching_func(fn)
+    end
+
+    # decides whether a "subject" can access a "object" with the operation "action",
+    # input parameters are usually: (sub, obj, act).
+    def enforce(*rvals)
+      enforce_ex(*rvals)[0]
+    end
+
+    # decides whether a "subject" can access a "object" with the operation "action",
+    # input parameters are usually: (sub, obj, act).
+    # return judge result with reason
+    def enforce_ex(*rvals)
+      return [false, []] unless enabled?
+
+      raise 'model is undefined' unless model.model&.key?('m')
+      raise 'model is undefined' unless model.model['m']&.key?('m')
+
+      r_tokens = model.model['r']['r'].tokens
+      p_tokens = model.model['p']['p'].tokens
+      raise StandardError, 'invalid request size' unless r_tokens.size == rvals.size
+
+      exp_string = model.model['m']['m'].value
+      has_eval = Util.has_eval(exp_string)
+      expression = exp_string
+      policy_effects = Set.new
+      r_parameters = load_params(r_tokens, rvals)
+      policy_len = model.model['p']['p'].policy.size
+      explain_index = -1
+      if policy_len.positive?
+        model.model['p']['p'].policy.each_with_index do |pvals, i|
+          raise StandardError, 'invalid policy size' unless p_tokens.size == pvals.size
+
+          p_parameters = load_params(p_tokens, pvals)
+          parameters = r_parameters.merge(p_parameters)
+
+          if has_eval
+            rule_names = Util.get_eval_value(exp_string)
+            rules = rule_names.map { |rule_name| Util.escape_assertion(p_parameters[rule_name]) }
+            expression = Util.replace_eval(exp_string, rules)
+          end
+
+          result = evaluate(expression, functions, parameters)
+          case result
+          when TrueClass, FalseClass
+            unless result
+              policy_effects.add(Effect::Effector::INDETERMINATE)
+              next
+            end
+          when Numeric
+            if result.zero?
+              policy_effects.add(Effect::Effector::INDETERMINATE)
+              next
+            end
+          else
+            raise 'matcher result should be true, false or a number'
+          end
+
+          if parameters.keys.include?('p_eft')
+            case parameters['p_eft']
+            when 'allow'
+              policy_effects.add(Effect::Effector::ALLOW)
+            when 'deny'
+              policy_effects.add(Effect::Effector::DENY)
+            else
+              policy_effects.add(Effect::Effector::INDETERMINATE)
+            end
+          else
+            policy_effects.add(Effect::Effector::ALLOW)
+          end
+
+          if effector.intermediate_effect(policy_effects) != Effect::Effector::INDETERMINATE
+            explain_index = i
+            break
+          end
+        end
+
+      else
+        raise 'please make sure rule exists in policy when using eval() in matcher' if has_eval
+
+        parameters = r_parameters.clone
+        model.model['p']['p'].tokens.each { |token| parameters[token] = '' }
+        result = evaluate(expression, functions, parameters)
+        if result
+          policy_effects.add(Effect::Effector::ALLOW)
+        else
+          policy_effects.add(Effect::Effector::INDETERMINATE)
+        end
+      end
+
+      final_effect = effector.final_effect(policy_effects)
+      result = Effect::DefaultEffector.effect_to_bool(final_effect)
+
+      # Log request.
+      log_request(rvals, result)
+
+      explain_rule = []
+      explain_rule = model.model['p']['p'].policy[explain_index] if explain_index != -1 && explain_index < policy_len
+      [result, explain_rule]
+    end
+
+    protected
+
+    attr_accessor :model_path, :fm, :auto_motify_watcher
+    attr_reader :logger
+
+    private
+
+    attr_accessor :matcher_map
+
+    def init(logger: Logger.new($stdout))
+      self.rm_map = {}
+      self.effector = Effect::DefaultEffector.get_effector(model.model['e']['e'].value)
+
+      self.enabled = true
+      self.auto_save = true
+      self.auto_build_role_links = true
+
+      @logger = logger
+
+      init_rm_map
+    end
+
+    def evaluate(expr, funcs = {}, params = {})
+      Util::Evaluator.eval(expr, funcs, params)
+    end
+
+    def load_params(tokens, values)
+      params = {}
+      tokens.each_with_index { |token, i| params[token] = values[i] }
+
+      params
+    end
+
+    def functions
+      functions = fm.get_functions
+
+      if model.model.key? 'g'
+        model.model['g'].each do |key, ast|
+          rm = ast.rm
+          functions[key] = Util::BuiltinOperators.generate_g_function(rm)
+        end
+      end
+
+      functions
+    end
+
+    def log_request(rvals, result)
+      req_str = "Request: #{rvals.map(&:to_s).join ', '} ---> #{result}"
+
+      if result
+        logger.info(req_str)
+      else
+        # leaving this in error for now, if it's very noise this can be changed to info or debug
+        logger.error(req_str)
+      end
+    end
+
+    def init_rm_map
+      return unless model.model.keys.include?('g')
+
+      model.model['g'].each_key do |ptype|
+        rm_map[ptype] = Rbac::DefaultRoleManager::RoleManager.new(10, logger: logger)
+      end
+    end
+  end
+end