casbin-ruby 1.0.3 → 1.0.4

data/lib/casbin-ruby/effect/allow_and_deny_effector.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require 'casbin-ruby/effect/effector'
+
+module Casbin
+  module Effect
+    class AllowAndDenyEffector < Effect::Effector
+      # returns a intermediate effect based on the matched effects of the enforcer
+      def intermediate_effect(effects)
+        return DENY if effects.include?(DENY)
+
+        INDETERMINATE
+      end
+
+      # returns the final effect based on the matched effects of the enforcer
+      def final_effect(effects)
+        return DENY if effects.include?(DENY) || !effects.include?(ALLOW)
+
+        ALLOW
+      end
+    end
+  end
+end

data/lib/casbin-ruby/effect/allow_override_effector.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require 'casbin-ruby/effect/effector'
+
+module Casbin
+  module Effect
+    class AllowOverrideEffector < Effect::Effector
+      # returns a intermediate effect based on the matched effects of the enforcer
+      def intermediate_effect(effects)
+        return ALLOW if effects.include?(ALLOW)
+
+        INDETERMINATE
+      end
+
+      # returns the final effect based on the matched effects of the enforcer
+      def final_effect(effects)
+        return ALLOW if effects.include?(ALLOW)
+
+        DENY
+      end
+    end
+  end
+end

data/lib/casbin-ruby/effect/default_effector.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'casbin-ruby/effect/effector'
+require 'casbin-ruby/effect/allow_override_effector'
+require 'casbin-ruby/effect/deny_override_effector'
+require 'casbin-ruby/effect/allow_and_deny_effector'
+require 'casbin-ruby/effect/priority_effector'
+
+module Casbin
+  module Effect
+    # default effector for Casbin.
+    class DefaultEffector < Effect::Effector
+      # creates an effector based on the current policy effect expression
+      def self.get_effector(expr)
+        case expr
+        when 'some(where (p_eft == allow))'
+          Effect::AllowOverrideEffector.new
+        when '!some(where (p_eft == deny))'
+          Effect::DenyOverrideEffector.new
+        when 'some(where (p_eft == allow)) && !some(where (p_eft == deny))'
+          Effect::AllowAndDenyEffector.new
+        when 'priority(p_eft) || deny'
+          Effect::PriorityEffector.new
+        else
+          raise 'unsupported effect'
+        end
+      end
+
+      def self.effect_to_bool(effect)
+        return true if effect == ALLOW
+        return false if effect == DENY
+
+        raise "effect can't be converted to boolean"
+      end
+    end
+  end
+end

data/lib/casbin-ruby/effect/deny_override_effector.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require 'casbin-ruby/effect/effector'
+
+module Casbin
+  module Effect
+    class DenyOverrideEffector < Effect::Effector
+      # returns a intermediate effect based on the matched effects of the enforcer
+      def intermediate_effect(effects)
+        return DENY if effects.include?(DENY)
+
+        INDETERMINATE
+      end
+
+      # returns the final effect based on the matched effects of the enforcer
+      def final_effect(effects)
+        return DENY if effects.include?(DENY)
+
+        ALLOW
+      end
+    end
+  end
+end

data/lib/casbin-ruby/effect/effector.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Casbin
+  module Effect
+    # Effector is the interface for Casbin effectors.
+    class Effector
+      ALLOW = 0
+      INDETERMINATE = 1
+      DENY = 2
+
+      # returns a intermediate effect based on the matched effects of the enforcer
+      def intermediate_effect(_effects); end
+
+      # returns the final effect based on the matched effects of the enforcer
+      def final_effect(_effects); end
+    end
+  end
+end

data/lib/casbin-ruby/effect/priority_effector.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require 'casbin-ruby/effect/effector'
+
+module Casbin
+  module Effect
+    class PriorityEffector < Effect::Effector
+      # returns a intermediate effect based on the matched effects of the enforcer
+      def intermediate_effect(effects)
+        return ALLOW if effects.include?(ALLOW)
+        return DENY if effects.include?(DENY)
+
+        INDETERMINATE
+      end
+
+      # returns the final effect based on the matched effects of the enforcer
+      def final_effect(effects)
+        return ALLOW if effects.include?(ALLOW)
+        return DENY if effects.include?(DENY)
+
+        DENY
+      end
+    end
+  end
+end

data/lib/casbin-ruby/enforcer.rb

@@ -0,0 +1,189 @@
+# frozen_string_literal: true
+
+require 'casbin-ruby/management_enforcer'
+require 'casbin-ruby/util'
+
+module Casbin
+  # Enforcer = ManagementEnforcer + RBAC_API + RBAC_WITH_DOMAIN_API
+  #
+  # creates an enforcer via file or DB.
+  #  File:
+  #    e = casbin.Enforcer("path/to/basic_model.conf", "path/to/basic_policy.csv")
+  #  MySQL DB:
+  #    a = mysqladapter.DBAdapter("mysql", "mysql_username:mysql_password@tcp(127.0.0.1:3306)/")
+  #    e = casbin.Enforcer("path/to/basic_model.conf", a)
+  class Enforcer < ManagementEnforcer
+    # gets the roles that a user has.
+    def get_roles_for_user(name)
+      model.model['g']['g'].rm.get_roles(name)
+    end
+
+    # gets the users that has a role.
+    def get_users_for_role(name)
+      model.model['g']['g'].rm.get_users(name)
+    end
+
+    # determines whether a user has a role.
+    def has_role_for_user(name, role)
+      roles = get_roles_for_user(name)
+      roles.include?(role)
+    end
+
+    # adds a role for a user.
+    # Returns false if the user already has the role (aka not affected).
+    def add_role_for_user(user, role)
+      add_grouping_policy(user, role)
+    end
+
+    # deletes a role for a user.
+    # Returns false if the user does not have the role (aka not affected).
+    def delete_role_for_user(user, role)
+      remove_grouping_policy(user, role)
+    end
+
+    # deletes all roles for a user.
+    # Returns false if the user does not have any roles (aka not affected).
+    def delete_roles_for_user(user)
+      remove_filtered_grouping_policy(0, user)
+    end
+
+    # deletes a user.
+    # Returns false if the user does not exist (aka not affected).
+    def delete_user(user)
+      res1 = remove_filtered_grouping_policy(0, user)
+      res2 = remove_filtered_policy(0, user)
+      res1 || res2
+    end
+
+    # deletes a role.
+    # Returns false if the role does not exist (aka not affected).
+    def delete_role(role)
+      res1 = remove_filtered_grouping_policy(1, role)
+      res2 = remove_filtered_policy(0, role)
+      res1 || res2
+    end
+
+    # deletes a permission.
+    # Returns false if the permission does not exist (aka not affected).
+    def delete_permission(*permission)
+      remove_filtered_policy(1, *permission)
+    end
+
+    # adds a permission for a user or role.
+    # Returns false if the user or role already has the permission (aka not affected).
+    def add_permission_for_user(user, *permission)
+      add_policy(Util.join_slice(user, *permission))
+    end
+
+    # deletes a permission for a user or role.
+    # Returns false if the user or role does not have the permission (aka not affected).
+    def delete_permission_for_user(user, *permission)
+      remove_policy(Util.join_slice(user, *permission))
+    end
+
+    # deletes permissions for a user or role.
+    # Returns false if the user or role does not have any permissions (aka not affected).
+    def delete_permissions_for_user(user)
+      remove_filtered_policy(0, user)
+    end
+
+    # gets permissions for a user or role.
+    def get_permissions_for_user(user)
+      get_filtered_policy(0, user)
+    end
+
+    # determines whether a user has a permission.
+    def has_permission_for_user(user, *permission)
+      has_policy(Util.join_slice(user, *permission))
+    end
+
+    # gets implicit roles that a user has.
+    # Compared to get_roles_for_user(), this function retrieves indirect roles besides direct roles.
+    # For example:
+    # g, alice, role:admin
+    # g, role:admin, role:user
+    # get_roles_for_user("alice") can only get: ["role:admin"].
+    # But get_implicit_roles_for_user("alice") will get: ["role:admin", "role:user"].
+    def get_implicit_roles_for_user(name, domain = nil)
+      res = []
+      queue = [name]
+      while queue.size.positive?
+        name = queue.delete_at(0)
+        rm_map.each_value do |rm|
+          rm.get_roles(name, domain).each do |r|
+            res << r
+            queue << r
+          end
+        end
+      end
+
+      res
+    end
+
+    # gets implicit permissions for a user or role.
+    # Compared to get_permissions_for_user(), this function retrieves permissions for inherited roles.
+    # For example:
+    # p, admin, data1, read
+    # p, alice, data2, read
+    # g, alice, admin
+    # get_permissions_for_user("alice") can only get: [["alice", "data2", "read"]].
+    # But get_implicit_permissions_for_user("alice") will get: [["admin", "data1", "read"], ["alice", "data2", "read"]].
+    def get_implicit_permissions_for_user(user, domain = nil)
+      roles = get_implicit_roles_for_user(user, domain)
+      roles.insert(0, user)
+      res = []
+      roles.each do |role|
+        permissions = if domain
+                        get_permissions_for_user_in_domain(role, domain)
+                      else
+                        get_permissions_for_user(role)
+                      end
+
+        res.concat(permissions)
+      end
+
+      res
+    end
+
+    # gets implicit users for a permission.
+    # For example:
+    # p, admin, data1, read
+    # p, bob, data1, read
+    # g, alice, admin
+    # get_implicit_users_for_permission("data1", "read") will get: ["alice", "bob"].
+    # Note: only users will be returned, roles (2nd arg in "g") will be excluded.
+    def get_implicit_users_for_permission(*permission)
+      subjects = get_all_subjects
+      roles = get_all_roles
+      users = Util.set_subtract(subjects, roles)
+      users.find_all { |user| enforce(*Util.join_slice(user, *permission)) }
+    end
+
+    # gets the roles that a user has inside a domain.
+    def get_roles_for_user_in_domain(name, domain)
+      model.model['g']['g'].rm.get_roles(name, domain)
+    end
+
+    # gets the users that has a role inside a domain.
+    def get_users_for_role_in_domain(name, domain)
+      model.model['g']['g'].rm.get_users(name, domain)
+    end
+
+    # adds a role for a user inside a domain.
+    # Returns false if the user already has the role (aka not affected).
+    def add_role_for_user_in_domain(user, role, domain)
+      add_grouping_policy(user, role, domain)
+    end
+
+    # deletes a role for a user inside a domain.
+    # Returns false if the user does not have any roles (aka not affected).
+    def delete_roles_for_user_in_domain(user, role, domain)
+      remove_filtered_grouping_policy(0, user, role, domain)
+    end
+
+    # gets permissions for a user or role inside domain.
+    def get_permissions_for_user_in_domain(user, domain)
+      get_filtered_policy(0, user, domain)
+    end
+  end
+end

data/lib/casbin-ruby/internal_enforcer.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+require 'casbin-ruby/core_enforcer'
+
+module Casbin
+  # InternalEnforcer = CoreEnforcer + Internal API.
+  class InternalEnforcer < CoreEnforcer
+    protected
+
+    # adds a rule to the current policy.
+    def add_policy(sec, ptype, rule)
+      return false unless model.add_policy(sec, ptype, rule)
+
+      make_persistent :add_policy, sec, ptype, rule
+    end
+
+    # adds rules to the current policy.
+    def add_policies(sec, ptype, rules)
+      return false unless model.add_policies(sec, ptype, rules)
+
+      make_persistent :add_policies, sec, ptype, rules
+    end
+
+    # updates a rule from the current policy.
+    def update_policy(sec, ptype, old_rule, new_rule)
+      return false unless model.update_policy(sec, ptype, old_rule, new_rule)
+
+      make_persistent :update_policy, sec, ptype, old_rule, new_rule
+    end
+
+    # updates rules from the current policy.
+    def update_policies(sec, ptype, old_rules, new_rules)
+      return false unless model.update_policies(sec, ptype, old_rules, new_rules)
+
+      make_persistent :update_policies, sec, ptype, old_rules, new_rules
+    end
+
+    # removes a rule from the current policy.
+    def remove_policy(sec, ptype, rule)
+      return false unless model.remove_policy(sec, ptype, rule)
+
+      make_persistent :remove_policy, sec, ptype, rule
+    end
+
+    # removes policy rules from the model.
+    def remove_policies(sec, ptype, rules)
+      return false unless model.remove_policies(sec, ptype, rules)
+
+      make_persistent :remove_policies, sec, ptype, rules
+    end
+
+    # removes rules based on field filters from the current policy.
+    def remove_filtered_policy(sec, ptype, field_index, *field_values)
+      return false unless model.remove_filtered_policy(sec, ptype, field_index, *field_values)
+
+      make_persistent :remove_filtered_policy, sec, ptype, field_index, *field_values
+    end
+
+    private
+
+    def make_persistent(meth, *args)
+      if adapter && auto_save
+        # we can add the `add_policies`, `update_policy`, `update_policies`, `remove_policies` methods
+        # to the base Adapter class and remove `respond_to?`
+        return false unless adapter.respond_to?(meth) && adapter.public_send(meth, *args)
+
+        watcher&.update
+      end
+
+      true
+    end
+  end
+end

data/lib/casbin-ruby/management_enforcer.rb

@@ -0,0 +1,297 @@
+# frozen_string_literal: true
+
+require 'casbin-ruby/internal_enforcer'
+
+module Casbin
+  # ManagementEnforcer = InternalEnforcer + Management API.
+  class ManagementEnforcer < InternalEnforcer
+    alias parent_add_policy add_policy
+    alias parent_add_policies add_policies
+    alias parent_update_policy update_policy
+    alias parent_update_policies update_policies
+    alias parent_remove_policy remove_policy
+    alias parent_remove_policies remove_policies
+    alias parent_remove_filtered_policy remove_filtered_policy
+
+    # gets the list of subjects that show up in the current policy.
+    def get_all_subjects
+      get_all_named_subjects('p')
+    end
+
+    # gets the list of subjects that show up in the current named policy.
+    def get_all_named_subjects(ptype)
+      model.get_values_for_field_in_policy('p', ptype, 0)
+    end
+
+    # gets the list of objects that show up in the current policy.
+    def get_all_objects
+      get_all_named_objects('p')
+    end
+
+    # gets the list of objects that show up in the current named policy.
+    def get_all_named_objects(ptype)
+      model.get_values_for_field_in_policy('p', ptype, 1)
+    end
+
+    # gets the list of actions that show up in the current policy.
+    def get_all_actions
+      get_all_named_actions('p')
+    end
+
+    # gets the list of actions that show up in the current named policy.
+    def get_all_named_actions(ptype)
+      model.get_values_for_field_in_policy('p', ptype, 2)
+    end
+
+    # gets the list of roles that show up in the current named policy.
+    def get_all_roles
+      get_all_named_roles('g')
+    end
+
+    def get_all_named_roles(ptype)
+      model.get_values_for_field_in_policy('g', ptype, 1)
+    end
+
+    # gets all the authorization rules in the policy.
+    def get_policy
+      get_named_policy('p')
+    end
+
+    # gets all the authorization rules in the policy, field filters can be specified.
+    def get_filtered_policy(field_index, *field_values)
+      get_filtered_named_policy('p', field_index, *field_values)
+    end
+
+    # gets all the authorization rules in the named policy.
+    def get_named_policy(ptype)
+      model.get_policy('p', ptype)
+    end
+
+    # gets all the authorization rules in the named policy, field filters can be specified.
+    def get_filtered_named_policy(ptype, field_index, *field_values)
+      model.get_filtered_policy('p', ptype, field_index, *field_values)
+    end
+
+    # gets all the role inheritance rules in the policy.
+    def get_grouping_policy
+      get_named_grouping_policy('g')
+    end
+
+    # gets all the role inheritance rules in the policy, field filters can be specified.
+    def get_filtered_grouping_policy(field_index, *field_values)
+      get_filtered_named_grouping_policy('g', field_index, *field_values)
+    end
+
+    # gets all the role inheritance rules in the policy.
+    def get_named_grouping_policy(ptype)
+      model.get_policy('g', ptype)
+    end
+
+    # gets all the role inheritance rules in the policy, field filters can be specified.
+    def get_filtered_named_grouping_policy(ptype, field_index, *field_values)
+      model.get_filtered_policy('g', ptype, field_index, *field_values)
+    end
+
+    # determines whether an authorization rule exists.
+    def has_policy(*params)
+      has_named_policy('p', *params)
+    end
+
+    # determines whether a named authorization rule exists.
+    def has_named_policy(ptype, *params)
+      if params.size == 1 && params[0].is_a?(Array)
+        model.has_policy('p', ptype, params[0])
+      else
+        model.has_policy('p', ptype, [params])
+      end
+    end
+
+    # adds an authorization rule to the current policy.
+    #
+    # If the rule already exists, the function returns false and the rule will not be added.
+    # Otherwise the function returns true by adding the new rule.
+    def add_policy(*params)
+      add_named_policy('p', *params)
+    end
+
+    # adds authorization rules to the current policy.
+    #
+    # If the rule already exists, the function returns false for the corresponding rule and the rule will not be added.
+    # Otherwise the function returns true for the corresponding rule by adding the new rule.
+    def add_policies(rules)
+      add_named_policies('p', rules)
+    end
+
+    # adds an authorization rule to the current named policy.
+    #
+    # If the rule already exists, the function returns false and the rule will not be added.
+    # Otherwise the function returns true by adding the new rule.
+    def add_named_policy(ptype, *params)
+      if params.size == 1 && params[0].is_a?(Array)
+        parent_add_policy('p', ptype, params[0])
+      else
+        parent_add_policy('p', ptype, [params])
+      end
+    end
+
+    # adds authorization rules to the current named policy.
+    #
+    # If the rule already exists, the function returns false for the corresponding rule and the rule will not be added.
+    # Otherwise the function returns true for the corresponding by adding the new rule.
+    def add_named_policies(ptype, rules)
+      parent_add_policies('p', ptype, rules)
+    end
+
+    # updates an authorization rule from the current policy.
+    def update_policy(old_rule, new_rule)
+      update_named_policy('p', old_rule, new_rule)
+    end
+
+    # updates authorization rules from the current policy.
+    def update_policies(old_rules, new_rules)
+      update_named_policies('p', old_rules, new_rules)
+    end
+
+    # updates an authorization rule from the current named policy.
+    def update_named_policy(ptype, old_rule, new_rule)
+      parent_update_policy('p', ptype, old_rule, new_rule)
+    end
+
+    # updates authorization rules from the current named policy.
+    def update_named_policies(ptype, old_rules, new_rules)
+      parent_update_policies('p', ptype, old_rules, new_rules)
+    end
+
+    # removes an authorization rule from the current policy.
+    def remove_policy(*params)
+      remove_named_policy('p', *params)
+    end
+
+    # removes authorization rules from the current policy.
+    def remove_policies(rules)
+      remove_named_policies('p', rules)
+    end
+
+    # removes an authorization rule from the current policy, field filters can be specified.
+    def remove_filtered_policy(field_index, *field_values)
+      remove_filtered_named_policy('p', field_index, *field_values)
+    end
+
+    # removes an authorization rule from the current named policy.
+    def remove_named_policy(ptype, *params)
+      if params.size == 1 && params[0].is_a?(Array)
+        parent_remove_policy('p', ptype, params[0])
+      else
+        parent_remove_policy('p', ptype, [params])
+      end
+    end
+
+    # removes authorization rules from the current named policy.
+    def remove_named_policies(ptype, rules)
+      parent_remove_policies('p', ptype, rules)
+    end
+
+    # removes an authorization rule from the current named policy, field filters can be specified.
+    def remove_filtered_named_policy(ptype, field_index, *field_values)
+      parent_remove_filtered_policy('p', ptype, field_index, *field_values)
+    end
+
+    # determines whether a role inheritance rule exists.
+    def has_grouping_policy
+      has_named_grouping_policy('g', *params)
+    end
+
+    # determines whether a named role inheritance rule exists.
+    def has_named_grouping_policy(ptype, *params)
+      if params.size == 1 && params[0].is_a?(Array)
+        model.has_policy('g', ptype, params[0])
+      else
+        model.has_policy('g', ptype, [params])
+      end
+    end
+
+    # adds a role inheritance rule to the current policy.
+    #
+    # If the rule already exists, the function returns false and the rule will not be added.
+    # Otherwise the function returns true by adding the new rule.
+    def add_grouping_policy(*params)
+      add_named_grouping_policy('g', *params)
+    end
+
+    # adds role inheritance rulea to the current policy.
+    #
+    # If the rule already exists, the function returns false for the corresponding policy rule and the rule will not be
+    # added.
+    # Otherwise the function returns true for the corresponding policy rule by adding the new rule.
+    def add_grouping_policies(rules)
+      add_named_grouping_policies('g', rules)
+    end
+
+    # adds a named role inheritance rule to the current policy.
+    #
+    # If the rule already exists, the function returns false and the rule will not be added.
+    # Otherwise the function returns true by adding the new rule.
+    def add_named_grouping_policy(ptype, *params)
+      rule_added = if params.size == 1 && params[0].is_a?(Array)
+                     parent_add_policy('g', ptype, params[0])
+                   else
+                     parent_add_policy('g', ptype, [params])
+                   end
+
+      auto_build_role_links ? build_role_links : rule_added
+    end
+
+    # adds named role inheritance rules to the current policy.
+    #
+    # If the rule already exists, the function returns false for the corresponding policy rule and the rule will not be
+    # added.
+    # Otherwise the function returns true for the corresponding policy rule by adding the new rule.
+    def add_named_grouping_policies(ptype, rules)
+      rules_added = parent_add_policies('g', ptype, rules)
+      auto_build_role_links ? build_role_links : rules_added
+    end
+
+    # removes a role inheritance rule from the current policy.
+    def remove_grouping_policy(*params)
+      remove_named_grouping_policy('g', *params)
+    end
+
+    # removes role inheritance rulea from the current policy.
+    def remove_grouping_policies(rules)
+      remove_named_grouping_policies('g', rules)
+    end
+
+    # removes a role inheritance rule from the current policy, field filters can be specified.
+    def remove_filtered_grouping_policy(field_index, *field_values)
+      remove_filtered_named_grouping_policy('g', field_index, *field_values)
+    end
+
+    # removes a role inheritance rule from the current named policy.
+    def remove_named_grouping_policy(ptype, *params)
+      rule_added = if params.size == 1 && params[0].is_a?(Array)
+                     parent_remove_policy('g', ptype, params[0])
+                   else
+                     parent_remove_policy('g', ptype, [params])
+                   end
+
+      auto_build_role_links ? build_role_links : rule_added
+    end
+
+    # removes role inheritance rules from the current named policy.
+    def remove_named_grouping_policies(ptype, rules)
+      rules_removed = parent_remove_policies('g', ptype, rules)
+      auto_build_role_links ? build_role_links : rules_removed
+    end
+
+    # removes a role inheritance rule from the current named policy, field filters can be specified.
+    def remove_filtered_named_grouping_policy(ptype, field_index, *field_values)
+      rule_removed = parent_remove_filtered_policy('g', ptype, field_index, *field_values)
+      auto_build_role_links ? build_role_links : rule_removed
+    end
+
+    # adds a customized function.
+    def add_function(name, func)
+      fm.add_function(name, func)
+    end
+  end
+end