casbin-ruby 1.0.3 → 1.0.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +242 -0
- data/lib/casbin-ruby.rb +11 -0
- data/lib/casbin-ruby/config/config.rb +115 -0
- data/lib/casbin-ruby/core_enforcer.rb +356 -0
- data/lib/casbin-ruby/effect/allow_and_deny_effector.rb +23 -0
- data/lib/casbin-ruby/effect/allow_override_effector.rb +23 -0
- data/lib/casbin-ruby/effect/default_effector.rb +37 -0
- data/lib/casbin-ruby/effect/deny_override_effector.rb +23 -0
- data/lib/casbin-ruby/effect/effector.rb +18 -0
- data/lib/casbin-ruby/effect/priority_effector.rb +25 -0
- data/lib/casbin-ruby/enforcer.rb +189 -0
- data/lib/casbin-ruby/internal_enforcer.rb +73 -0
- data/lib/casbin-ruby/management_enforcer.rb +297 -0
- data/lib/casbin-ruby/model/assertion.rb +33 -0
- data/lib/casbin-ruby/model/function_map.rb +30 -0
- data/lib/casbin-ruby/model/model.rb +80 -0
- data/lib/casbin-ruby/model/policy.rb +161 -0
- data/lib/casbin-ruby/persist/adapter.rb +39 -0
- data/lib/casbin-ruby/persist/adapters/file_adapter.rb +53 -0
- data/lib/casbin-ruby/persist/batch_adapter.rb +16 -0
- data/lib/casbin-ruby/persist/filtered_adapter.rb +17 -0
- data/lib/casbin-ruby/rbac/default_role_manager/role.rb +54 -0
- data/lib/casbin-ruby/rbac/default_role_manager/role_manager.rb +146 -0
- data/lib/casbin-ruby/rbac/role_manager.rb +22 -0
- data/lib/casbin-ruby/synced_enforcer.rb +39 -0
- data/lib/casbin-ruby/util.rb +80 -0
- data/lib/casbin-ruby/util/builtin_operators.rb +105 -0
- data/lib/casbin-ruby/util/evaluator.rb +27 -0
- data/lib/casbin-ruby/util/thread_lock.rb +19 -0
- data/lib/casbin-ruby/version.rb +5 -0
- data/spec/casbin/config/config_spec.rb +66 -0
- data/spec/casbin/core_enforcer_spec.rb +473 -0
- data/spec/casbin/enforcer_spec.rb +302 -0
- data/spec/casbin/model/function_map_spec.rb +28 -0
- data/spec/casbin/rbac/default_role_manager/role_manager_spec.rb +131 -0
- data/spec/casbin/rbac/default_role_manager/role_spec.rb +84 -0
- data/spec/casbin/util/builtin_operators_spec.rb +205 -0
- data/spec/casbin/util_spec.rb +98 -0
- data/spec/support/model_helper.rb +9 -0
- metadata +51 -3
@@ -0,0 +1,23 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'casbin-ruby/effect/effector'
|
4
|
+
|
5
|
+
module Casbin
|
6
|
+
module Effect
|
7
|
+
class AllowAndDenyEffector < Effect::Effector
|
8
|
+
# returns a intermediate effect based on the matched effects of the enforcer
|
9
|
+
def intermediate_effect(effects)
|
10
|
+
return DENY if effects.include?(DENY)
|
11
|
+
|
12
|
+
INDETERMINATE
|
13
|
+
end
|
14
|
+
|
15
|
+
# returns the final effect based on the matched effects of the enforcer
|
16
|
+
def final_effect(effects)
|
17
|
+
return DENY if effects.include?(DENY) || !effects.include?(ALLOW)
|
18
|
+
|
19
|
+
ALLOW
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
@@ -0,0 +1,23 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'casbin-ruby/effect/effector'
|
4
|
+
|
5
|
+
module Casbin
|
6
|
+
module Effect
|
7
|
+
class AllowOverrideEffector < Effect::Effector
|
8
|
+
# returns a intermediate effect based on the matched effects of the enforcer
|
9
|
+
def intermediate_effect(effects)
|
10
|
+
return ALLOW if effects.include?(ALLOW)
|
11
|
+
|
12
|
+
INDETERMINATE
|
13
|
+
end
|
14
|
+
|
15
|
+
# returns the final effect based on the matched effects of the enforcer
|
16
|
+
def final_effect(effects)
|
17
|
+
return ALLOW if effects.include?(ALLOW)
|
18
|
+
|
19
|
+
DENY
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
@@ -0,0 +1,37 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'casbin-ruby/effect/effector'
|
4
|
+
require 'casbin-ruby/effect/allow_override_effector'
|
5
|
+
require 'casbin-ruby/effect/deny_override_effector'
|
6
|
+
require 'casbin-ruby/effect/allow_and_deny_effector'
|
7
|
+
require 'casbin-ruby/effect/priority_effector'
|
8
|
+
|
9
|
+
module Casbin
|
10
|
+
module Effect
|
11
|
+
# default effector for Casbin.
|
12
|
+
class DefaultEffector < Effect::Effector
|
13
|
+
# creates an effector based on the current policy effect expression
|
14
|
+
def self.get_effector(expr)
|
15
|
+
case expr
|
16
|
+
when 'some(where (p_eft == allow))'
|
17
|
+
Effect::AllowOverrideEffector.new
|
18
|
+
when '!some(where (p_eft == deny))'
|
19
|
+
Effect::DenyOverrideEffector.new
|
20
|
+
when 'some(where (p_eft == allow)) && !some(where (p_eft == deny))'
|
21
|
+
Effect::AllowAndDenyEffector.new
|
22
|
+
when 'priority(p_eft) || deny'
|
23
|
+
Effect::PriorityEffector.new
|
24
|
+
else
|
25
|
+
raise 'unsupported effect'
|
26
|
+
end
|
27
|
+
end
|
28
|
+
|
29
|
+
def self.effect_to_bool(effect)
|
30
|
+
return true if effect == ALLOW
|
31
|
+
return false if effect == DENY
|
32
|
+
|
33
|
+
raise "effect can't be converted to boolean"
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
@@ -0,0 +1,23 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'casbin-ruby/effect/effector'
|
4
|
+
|
5
|
+
module Casbin
|
6
|
+
module Effect
|
7
|
+
class DenyOverrideEffector < Effect::Effector
|
8
|
+
# returns a intermediate effect based on the matched effects of the enforcer
|
9
|
+
def intermediate_effect(effects)
|
10
|
+
return DENY if effects.include?(DENY)
|
11
|
+
|
12
|
+
INDETERMINATE
|
13
|
+
end
|
14
|
+
|
15
|
+
# returns the final effect based on the matched effects of the enforcer
|
16
|
+
def final_effect(effects)
|
17
|
+
return DENY if effects.include?(DENY)
|
18
|
+
|
19
|
+
ALLOW
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
@@ -0,0 +1,18 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Casbin
|
4
|
+
module Effect
|
5
|
+
# Effector is the interface for Casbin effectors.
|
6
|
+
class Effector
|
7
|
+
ALLOW = 0
|
8
|
+
INDETERMINATE = 1
|
9
|
+
DENY = 2
|
10
|
+
|
11
|
+
# returns a intermediate effect based on the matched effects of the enforcer
|
12
|
+
def intermediate_effect(_effects); end
|
13
|
+
|
14
|
+
# returns the final effect based on the matched effects of the enforcer
|
15
|
+
def final_effect(_effects); end
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
@@ -0,0 +1,25 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'casbin-ruby/effect/effector'
|
4
|
+
|
5
|
+
module Casbin
|
6
|
+
module Effect
|
7
|
+
class PriorityEffector < Effect::Effector
|
8
|
+
# returns a intermediate effect based on the matched effects of the enforcer
|
9
|
+
def intermediate_effect(effects)
|
10
|
+
return ALLOW if effects.include?(ALLOW)
|
11
|
+
return DENY if effects.include?(DENY)
|
12
|
+
|
13
|
+
INDETERMINATE
|
14
|
+
end
|
15
|
+
|
16
|
+
# returns the final effect based on the matched effects of the enforcer
|
17
|
+
def final_effect(effects)
|
18
|
+
return ALLOW if effects.include?(ALLOW)
|
19
|
+
return DENY if effects.include?(DENY)
|
20
|
+
|
21
|
+
DENY
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
@@ -0,0 +1,189 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'casbin-ruby/management_enforcer'
|
4
|
+
require 'casbin-ruby/util'
|
5
|
+
|
6
|
+
module Casbin
|
7
|
+
# Enforcer = ManagementEnforcer + RBAC_API + RBAC_WITH_DOMAIN_API
|
8
|
+
#
|
9
|
+
# creates an enforcer via file or DB.
|
10
|
+
# File:
|
11
|
+
# e = casbin.Enforcer("path/to/basic_model.conf", "path/to/basic_policy.csv")
|
12
|
+
# MySQL DB:
|
13
|
+
# a = mysqladapter.DBAdapter("mysql", "mysql_username:mysql_password@tcp(127.0.0.1:3306)/")
|
14
|
+
# e = casbin.Enforcer("path/to/basic_model.conf", a)
|
15
|
+
class Enforcer < ManagementEnforcer
|
16
|
+
# gets the roles that a user has.
|
17
|
+
def get_roles_for_user(name)
|
18
|
+
model.model['g']['g'].rm.get_roles(name)
|
19
|
+
end
|
20
|
+
|
21
|
+
# gets the users that has a role.
|
22
|
+
def get_users_for_role(name)
|
23
|
+
model.model['g']['g'].rm.get_users(name)
|
24
|
+
end
|
25
|
+
|
26
|
+
# determines whether a user has a role.
|
27
|
+
def has_role_for_user(name, role)
|
28
|
+
roles = get_roles_for_user(name)
|
29
|
+
roles.include?(role)
|
30
|
+
end
|
31
|
+
|
32
|
+
# adds a role for a user.
|
33
|
+
# Returns false if the user already has the role (aka not affected).
|
34
|
+
def add_role_for_user(user, role)
|
35
|
+
add_grouping_policy(user, role)
|
36
|
+
end
|
37
|
+
|
38
|
+
# deletes a role for a user.
|
39
|
+
# Returns false if the user does not have the role (aka not affected).
|
40
|
+
def delete_role_for_user(user, role)
|
41
|
+
remove_grouping_policy(user, role)
|
42
|
+
end
|
43
|
+
|
44
|
+
# deletes all roles for a user.
|
45
|
+
# Returns false if the user does not have any roles (aka not affected).
|
46
|
+
def delete_roles_for_user(user)
|
47
|
+
remove_filtered_grouping_policy(0, user)
|
48
|
+
end
|
49
|
+
|
50
|
+
# deletes a user.
|
51
|
+
# Returns false if the user does not exist (aka not affected).
|
52
|
+
def delete_user(user)
|
53
|
+
res1 = remove_filtered_grouping_policy(0, user)
|
54
|
+
res2 = remove_filtered_policy(0, user)
|
55
|
+
res1 || res2
|
56
|
+
end
|
57
|
+
|
58
|
+
# deletes a role.
|
59
|
+
# Returns false if the role does not exist (aka not affected).
|
60
|
+
def delete_role(role)
|
61
|
+
res1 = remove_filtered_grouping_policy(1, role)
|
62
|
+
res2 = remove_filtered_policy(0, role)
|
63
|
+
res1 || res2
|
64
|
+
end
|
65
|
+
|
66
|
+
# deletes a permission.
|
67
|
+
# Returns false if the permission does not exist (aka not affected).
|
68
|
+
def delete_permission(*permission)
|
69
|
+
remove_filtered_policy(1, *permission)
|
70
|
+
end
|
71
|
+
|
72
|
+
# adds a permission for a user or role.
|
73
|
+
# Returns false if the user or role already has the permission (aka not affected).
|
74
|
+
def add_permission_for_user(user, *permission)
|
75
|
+
add_policy(Util.join_slice(user, *permission))
|
76
|
+
end
|
77
|
+
|
78
|
+
# deletes a permission for a user or role.
|
79
|
+
# Returns false if the user or role does not have the permission (aka not affected).
|
80
|
+
def delete_permission_for_user(user, *permission)
|
81
|
+
remove_policy(Util.join_slice(user, *permission))
|
82
|
+
end
|
83
|
+
|
84
|
+
# deletes permissions for a user or role.
|
85
|
+
# Returns false if the user or role does not have any permissions (aka not affected).
|
86
|
+
def delete_permissions_for_user(user)
|
87
|
+
remove_filtered_policy(0, user)
|
88
|
+
end
|
89
|
+
|
90
|
+
# gets permissions for a user or role.
|
91
|
+
def get_permissions_for_user(user)
|
92
|
+
get_filtered_policy(0, user)
|
93
|
+
end
|
94
|
+
|
95
|
+
# determines whether a user has a permission.
|
96
|
+
def has_permission_for_user(user, *permission)
|
97
|
+
has_policy(Util.join_slice(user, *permission))
|
98
|
+
end
|
99
|
+
|
100
|
+
# gets implicit roles that a user has.
|
101
|
+
# Compared to get_roles_for_user(), this function retrieves indirect roles besides direct roles.
|
102
|
+
# For example:
|
103
|
+
# g, alice, role:admin
|
104
|
+
# g, role:admin, role:user
|
105
|
+
# get_roles_for_user("alice") can only get: ["role:admin"].
|
106
|
+
# But get_implicit_roles_for_user("alice") will get: ["role:admin", "role:user"].
|
107
|
+
def get_implicit_roles_for_user(name, domain = nil)
|
108
|
+
res = []
|
109
|
+
queue = [name]
|
110
|
+
while queue.size.positive?
|
111
|
+
name = queue.delete_at(0)
|
112
|
+
rm_map.each_value do |rm|
|
113
|
+
rm.get_roles(name, domain).each do |r|
|
114
|
+
res << r
|
115
|
+
queue << r
|
116
|
+
end
|
117
|
+
end
|
118
|
+
end
|
119
|
+
|
120
|
+
res
|
121
|
+
end
|
122
|
+
|
123
|
+
# gets implicit permissions for a user or role.
|
124
|
+
# Compared to get_permissions_for_user(), this function retrieves permissions for inherited roles.
|
125
|
+
# For example:
|
126
|
+
# p, admin, data1, read
|
127
|
+
# p, alice, data2, read
|
128
|
+
# g, alice, admin
|
129
|
+
# get_permissions_for_user("alice") can only get: [["alice", "data2", "read"]].
|
130
|
+
# But get_implicit_permissions_for_user("alice") will get: [["admin", "data1", "read"], ["alice", "data2", "read"]].
|
131
|
+
def get_implicit_permissions_for_user(user, domain = nil)
|
132
|
+
roles = get_implicit_roles_for_user(user, domain)
|
133
|
+
roles.insert(0, user)
|
134
|
+
res = []
|
135
|
+
roles.each do |role|
|
136
|
+
permissions = if domain
|
137
|
+
get_permissions_for_user_in_domain(role, domain)
|
138
|
+
else
|
139
|
+
get_permissions_for_user(role)
|
140
|
+
end
|
141
|
+
|
142
|
+
res.concat(permissions)
|
143
|
+
end
|
144
|
+
|
145
|
+
res
|
146
|
+
end
|
147
|
+
|
148
|
+
# gets implicit users for a permission.
|
149
|
+
# For example:
|
150
|
+
# p, admin, data1, read
|
151
|
+
# p, bob, data1, read
|
152
|
+
# g, alice, admin
|
153
|
+
# get_implicit_users_for_permission("data1", "read") will get: ["alice", "bob"].
|
154
|
+
# Note: only users will be returned, roles (2nd arg in "g") will be excluded.
|
155
|
+
def get_implicit_users_for_permission(*permission)
|
156
|
+
subjects = get_all_subjects
|
157
|
+
roles = get_all_roles
|
158
|
+
users = Util.set_subtract(subjects, roles)
|
159
|
+
users.find_all { |user| enforce(*Util.join_slice(user, *permission)) }
|
160
|
+
end
|
161
|
+
|
162
|
+
# gets the roles that a user has inside a domain.
|
163
|
+
def get_roles_for_user_in_domain(name, domain)
|
164
|
+
model.model['g']['g'].rm.get_roles(name, domain)
|
165
|
+
end
|
166
|
+
|
167
|
+
# gets the users that has a role inside a domain.
|
168
|
+
def get_users_for_role_in_domain(name, domain)
|
169
|
+
model.model['g']['g'].rm.get_users(name, domain)
|
170
|
+
end
|
171
|
+
|
172
|
+
# adds a role for a user inside a domain.
|
173
|
+
# Returns false if the user already has the role (aka not affected).
|
174
|
+
def add_role_for_user_in_domain(user, role, domain)
|
175
|
+
add_grouping_policy(user, role, domain)
|
176
|
+
end
|
177
|
+
|
178
|
+
# deletes a role for a user inside a domain.
|
179
|
+
# Returns false if the user does not have any roles (aka not affected).
|
180
|
+
def delete_roles_for_user_in_domain(user, role, domain)
|
181
|
+
remove_filtered_grouping_policy(0, user, role, domain)
|
182
|
+
end
|
183
|
+
|
184
|
+
# gets permissions for a user or role inside domain.
|
185
|
+
def get_permissions_for_user_in_domain(user, domain)
|
186
|
+
get_filtered_policy(0, user, domain)
|
187
|
+
end
|
188
|
+
end
|
189
|
+
end
|
@@ -0,0 +1,73 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'casbin-ruby/core_enforcer'
|
4
|
+
|
5
|
+
module Casbin
|
6
|
+
# InternalEnforcer = CoreEnforcer + Internal API.
|
7
|
+
class InternalEnforcer < CoreEnforcer
|
8
|
+
protected
|
9
|
+
|
10
|
+
# adds a rule to the current policy.
|
11
|
+
def add_policy(sec, ptype, rule)
|
12
|
+
return false unless model.add_policy(sec, ptype, rule)
|
13
|
+
|
14
|
+
make_persistent :add_policy, sec, ptype, rule
|
15
|
+
end
|
16
|
+
|
17
|
+
# adds rules to the current policy.
|
18
|
+
def add_policies(sec, ptype, rules)
|
19
|
+
return false unless model.add_policies(sec, ptype, rules)
|
20
|
+
|
21
|
+
make_persistent :add_policies, sec, ptype, rules
|
22
|
+
end
|
23
|
+
|
24
|
+
# updates a rule from the current policy.
|
25
|
+
def update_policy(sec, ptype, old_rule, new_rule)
|
26
|
+
return false unless model.update_policy(sec, ptype, old_rule, new_rule)
|
27
|
+
|
28
|
+
make_persistent :update_policy, sec, ptype, old_rule, new_rule
|
29
|
+
end
|
30
|
+
|
31
|
+
# updates rules from the current policy.
|
32
|
+
def update_policies(sec, ptype, old_rules, new_rules)
|
33
|
+
return false unless model.update_policies(sec, ptype, old_rules, new_rules)
|
34
|
+
|
35
|
+
make_persistent :update_policies, sec, ptype, old_rules, new_rules
|
36
|
+
end
|
37
|
+
|
38
|
+
# removes a rule from the current policy.
|
39
|
+
def remove_policy(sec, ptype, rule)
|
40
|
+
return false unless model.remove_policy(sec, ptype, rule)
|
41
|
+
|
42
|
+
make_persistent :remove_policy, sec, ptype, rule
|
43
|
+
end
|
44
|
+
|
45
|
+
# removes policy rules from the model.
|
46
|
+
def remove_policies(sec, ptype, rules)
|
47
|
+
return false unless model.remove_policies(sec, ptype, rules)
|
48
|
+
|
49
|
+
make_persistent :remove_policies, sec, ptype, rules
|
50
|
+
end
|
51
|
+
|
52
|
+
# removes rules based on field filters from the current policy.
|
53
|
+
def remove_filtered_policy(sec, ptype, field_index, *field_values)
|
54
|
+
return false unless model.remove_filtered_policy(sec, ptype, field_index, *field_values)
|
55
|
+
|
56
|
+
make_persistent :remove_filtered_policy, sec, ptype, field_index, *field_values
|
57
|
+
end
|
58
|
+
|
59
|
+
private
|
60
|
+
|
61
|
+
def make_persistent(meth, *args)
|
62
|
+
if adapter && auto_save
|
63
|
+
# we can add the `add_policies`, `update_policy`, `update_policies`, `remove_policies` methods
|
64
|
+
# to the base Adapter class and remove `respond_to?`
|
65
|
+
return false unless adapter.respond_to?(meth) && adapter.public_send(meth, *args)
|
66
|
+
|
67
|
+
watcher&.update
|
68
|
+
end
|
69
|
+
|
70
|
+
true
|
71
|
+
end
|
72
|
+
end
|
73
|
+
end
|
@@ -0,0 +1,297 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'casbin-ruby/internal_enforcer'
|
4
|
+
|
5
|
+
module Casbin
|
6
|
+
# ManagementEnforcer = InternalEnforcer + Management API.
|
7
|
+
class ManagementEnforcer < InternalEnforcer
|
8
|
+
alias parent_add_policy add_policy
|
9
|
+
alias parent_add_policies add_policies
|
10
|
+
alias parent_update_policy update_policy
|
11
|
+
alias parent_update_policies update_policies
|
12
|
+
alias parent_remove_policy remove_policy
|
13
|
+
alias parent_remove_policies remove_policies
|
14
|
+
alias parent_remove_filtered_policy remove_filtered_policy
|
15
|
+
|
16
|
+
# gets the list of subjects that show up in the current policy.
|
17
|
+
def get_all_subjects
|
18
|
+
get_all_named_subjects('p')
|
19
|
+
end
|
20
|
+
|
21
|
+
# gets the list of subjects that show up in the current named policy.
|
22
|
+
def get_all_named_subjects(ptype)
|
23
|
+
model.get_values_for_field_in_policy('p', ptype, 0)
|
24
|
+
end
|
25
|
+
|
26
|
+
# gets the list of objects that show up in the current policy.
|
27
|
+
def get_all_objects
|
28
|
+
get_all_named_objects('p')
|
29
|
+
end
|
30
|
+
|
31
|
+
# gets the list of objects that show up in the current named policy.
|
32
|
+
def get_all_named_objects(ptype)
|
33
|
+
model.get_values_for_field_in_policy('p', ptype, 1)
|
34
|
+
end
|
35
|
+
|
36
|
+
# gets the list of actions that show up in the current policy.
|
37
|
+
def get_all_actions
|
38
|
+
get_all_named_actions('p')
|
39
|
+
end
|
40
|
+
|
41
|
+
# gets the list of actions that show up in the current named policy.
|
42
|
+
def get_all_named_actions(ptype)
|
43
|
+
model.get_values_for_field_in_policy('p', ptype, 2)
|
44
|
+
end
|
45
|
+
|
46
|
+
# gets the list of roles that show up in the current named policy.
|
47
|
+
def get_all_roles
|
48
|
+
get_all_named_roles('g')
|
49
|
+
end
|
50
|
+
|
51
|
+
def get_all_named_roles(ptype)
|
52
|
+
model.get_values_for_field_in_policy('g', ptype, 1)
|
53
|
+
end
|
54
|
+
|
55
|
+
# gets all the authorization rules in the policy.
|
56
|
+
def get_policy
|
57
|
+
get_named_policy('p')
|
58
|
+
end
|
59
|
+
|
60
|
+
# gets all the authorization rules in the policy, field filters can be specified.
|
61
|
+
def get_filtered_policy(field_index, *field_values)
|
62
|
+
get_filtered_named_policy('p', field_index, *field_values)
|
63
|
+
end
|
64
|
+
|
65
|
+
# gets all the authorization rules in the named policy.
|
66
|
+
def get_named_policy(ptype)
|
67
|
+
model.get_policy('p', ptype)
|
68
|
+
end
|
69
|
+
|
70
|
+
# gets all the authorization rules in the named policy, field filters can be specified.
|
71
|
+
def get_filtered_named_policy(ptype, field_index, *field_values)
|
72
|
+
model.get_filtered_policy('p', ptype, field_index, *field_values)
|
73
|
+
end
|
74
|
+
|
75
|
+
# gets all the role inheritance rules in the policy.
|
76
|
+
def get_grouping_policy
|
77
|
+
get_named_grouping_policy('g')
|
78
|
+
end
|
79
|
+
|
80
|
+
# gets all the role inheritance rules in the policy, field filters can be specified.
|
81
|
+
def get_filtered_grouping_policy(field_index, *field_values)
|
82
|
+
get_filtered_named_grouping_policy('g', field_index, *field_values)
|
83
|
+
end
|
84
|
+
|
85
|
+
# gets all the role inheritance rules in the policy.
|
86
|
+
def get_named_grouping_policy(ptype)
|
87
|
+
model.get_policy('g', ptype)
|
88
|
+
end
|
89
|
+
|
90
|
+
# gets all the role inheritance rules in the policy, field filters can be specified.
|
91
|
+
def get_filtered_named_grouping_policy(ptype, field_index, *field_values)
|
92
|
+
model.get_filtered_policy('g', ptype, field_index, *field_values)
|
93
|
+
end
|
94
|
+
|
95
|
+
# determines whether an authorization rule exists.
|
96
|
+
def has_policy(*params)
|
97
|
+
has_named_policy('p', *params)
|
98
|
+
end
|
99
|
+
|
100
|
+
# determines whether a named authorization rule exists.
|
101
|
+
def has_named_policy(ptype, *params)
|
102
|
+
if params.size == 1 && params[0].is_a?(Array)
|
103
|
+
model.has_policy('p', ptype, params[0])
|
104
|
+
else
|
105
|
+
model.has_policy('p', ptype, [params])
|
106
|
+
end
|
107
|
+
end
|
108
|
+
|
109
|
+
# adds an authorization rule to the current policy.
|
110
|
+
#
|
111
|
+
# If the rule already exists, the function returns false and the rule will not be added.
|
112
|
+
# Otherwise the function returns true by adding the new rule.
|
113
|
+
def add_policy(*params)
|
114
|
+
add_named_policy('p', *params)
|
115
|
+
end
|
116
|
+
|
117
|
+
# adds authorization rules to the current policy.
|
118
|
+
#
|
119
|
+
# If the rule already exists, the function returns false for the corresponding rule and the rule will not be added.
|
120
|
+
# Otherwise the function returns true for the corresponding rule by adding the new rule.
|
121
|
+
def add_policies(rules)
|
122
|
+
add_named_policies('p', rules)
|
123
|
+
end
|
124
|
+
|
125
|
+
# adds an authorization rule to the current named policy.
|
126
|
+
#
|
127
|
+
# If the rule already exists, the function returns false and the rule will not be added.
|
128
|
+
# Otherwise the function returns true by adding the new rule.
|
129
|
+
def add_named_policy(ptype, *params)
|
130
|
+
if params.size == 1 && params[0].is_a?(Array)
|
131
|
+
parent_add_policy('p', ptype, params[0])
|
132
|
+
else
|
133
|
+
parent_add_policy('p', ptype, [params])
|
134
|
+
end
|
135
|
+
end
|
136
|
+
|
137
|
+
# adds authorization rules to the current named policy.
|
138
|
+
#
|
139
|
+
# If the rule already exists, the function returns false for the corresponding rule and the rule will not be added.
|
140
|
+
# Otherwise the function returns true for the corresponding by adding the new rule.
|
141
|
+
def add_named_policies(ptype, rules)
|
142
|
+
parent_add_policies('p', ptype, rules)
|
143
|
+
end
|
144
|
+
|
145
|
+
# updates an authorization rule from the current policy.
|
146
|
+
def update_policy(old_rule, new_rule)
|
147
|
+
update_named_policy('p', old_rule, new_rule)
|
148
|
+
end
|
149
|
+
|
150
|
+
# updates authorization rules from the current policy.
|
151
|
+
def update_policies(old_rules, new_rules)
|
152
|
+
update_named_policies('p', old_rules, new_rules)
|
153
|
+
end
|
154
|
+
|
155
|
+
# updates an authorization rule from the current named policy.
|
156
|
+
def update_named_policy(ptype, old_rule, new_rule)
|
157
|
+
parent_update_policy('p', ptype, old_rule, new_rule)
|
158
|
+
end
|
159
|
+
|
160
|
+
# updates authorization rules from the current named policy.
|
161
|
+
def update_named_policies(ptype, old_rules, new_rules)
|
162
|
+
parent_update_policies('p', ptype, old_rules, new_rules)
|
163
|
+
end
|
164
|
+
|
165
|
+
# removes an authorization rule from the current policy.
|
166
|
+
def remove_policy(*params)
|
167
|
+
remove_named_policy('p', *params)
|
168
|
+
end
|
169
|
+
|
170
|
+
# removes authorization rules from the current policy.
|
171
|
+
def remove_policies(rules)
|
172
|
+
remove_named_policies('p', rules)
|
173
|
+
end
|
174
|
+
|
175
|
+
# removes an authorization rule from the current policy, field filters can be specified.
|
176
|
+
def remove_filtered_policy(field_index, *field_values)
|
177
|
+
remove_filtered_named_policy('p', field_index, *field_values)
|
178
|
+
end
|
179
|
+
|
180
|
+
# removes an authorization rule from the current named policy.
|
181
|
+
def remove_named_policy(ptype, *params)
|
182
|
+
if params.size == 1 && params[0].is_a?(Array)
|
183
|
+
parent_remove_policy('p', ptype, params[0])
|
184
|
+
else
|
185
|
+
parent_remove_policy('p', ptype, [params])
|
186
|
+
end
|
187
|
+
end
|
188
|
+
|
189
|
+
# removes authorization rules from the current named policy.
|
190
|
+
def remove_named_policies(ptype, rules)
|
191
|
+
parent_remove_policies('p', ptype, rules)
|
192
|
+
end
|
193
|
+
|
194
|
+
# removes an authorization rule from the current named policy, field filters can be specified.
|
195
|
+
def remove_filtered_named_policy(ptype, field_index, *field_values)
|
196
|
+
parent_remove_filtered_policy('p', ptype, field_index, *field_values)
|
197
|
+
end
|
198
|
+
|
199
|
+
# determines whether a role inheritance rule exists.
|
200
|
+
def has_grouping_policy
|
201
|
+
has_named_grouping_policy('g', *params)
|
202
|
+
end
|
203
|
+
|
204
|
+
# determines whether a named role inheritance rule exists.
|
205
|
+
def has_named_grouping_policy(ptype, *params)
|
206
|
+
if params.size == 1 && params[0].is_a?(Array)
|
207
|
+
model.has_policy('g', ptype, params[0])
|
208
|
+
else
|
209
|
+
model.has_policy('g', ptype, [params])
|
210
|
+
end
|
211
|
+
end
|
212
|
+
|
213
|
+
# adds a role inheritance rule to the current policy.
|
214
|
+
#
|
215
|
+
# If the rule already exists, the function returns false and the rule will not be added.
|
216
|
+
# Otherwise the function returns true by adding the new rule.
|
217
|
+
def add_grouping_policy(*params)
|
218
|
+
add_named_grouping_policy('g', *params)
|
219
|
+
end
|
220
|
+
|
221
|
+
# adds role inheritance rulea to the current policy.
|
222
|
+
#
|
223
|
+
# If the rule already exists, the function returns false for the corresponding policy rule and the rule will not be
|
224
|
+
# added.
|
225
|
+
# Otherwise the function returns true for the corresponding policy rule by adding the new rule.
|
226
|
+
def add_grouping_policies(rules)
|
227
|
+
add_named_grouping_policies('g', rules)
|
228
|
+
end
|
229
|
+
|
230
|
+
# adds a named role inheritance rule to the current policy.
|
231
|
+
#
|
232
|
+
# If the rule already exists, the function returns false and the rule will not be added.
|
233
|
+
# Otherwise the function returns true by adding the new rule.
|
234
|
+
def add_named_grouping_policy(ptype, *params)
|
235
|
+
rule_added = if params.size == 1 && params[0].is_a?(Array)
|
236
|
+
parent_add_policy('g', ptype, params[0])
|
237
|
+
else
|
238
|
+
parent_add_policy('g', ptype, [params])
|
239
|
+
end
|
240
|
+
|
241
|
+
auto_build_role_links ? build_role_links : rule_added
|
242
|
+
end
|
243
|
+
|
244
|
+
# adds named role inheritance rules to the current policy.
|
245
|
+
#
|
246
|
+
# If the rule already exists, the function returns false for the corresponding policy rule and the rule will not be
|
247
|
+
# added.
|
248
|
+
# Otherwise the function returns true for the corresponding policy rule by adding the new rule.
|
249
|
+
def add_named_grouping_policies(ptype, rules)
|
250
|
+
rules_added = parent_add_policies('g', ptype, rules)
|
251
|
+
auto_build_role_links ? build_role_links : rules_added
|
252
|
+
end
|
253
|
+
|
254
|
+
# removes a role inheritance rule from the current policy.
|
255
|
+
def remove_grouping_policy(*params)
|
256
|
+
remove_named_grouping_policy('g', *params)
|
257
|
+
end
|
258
|
+
|
259
|
+
# removes role inheritance rulea from the current policy.
|
260
|
+
def remove_grouping_policies(rules)
|
261
|
+
remove_named_grouping_policies('g', rules)
|
262
|
+
end
|
263
|
+
|
264
|
+
# removes a role inheritance rule from the current policy, field filters can be specified.
|
265
|
+
def remove_filtered_grouping_policy(field_index, *field_values)
|
266
|
+
remove_filtered_named_grouping_policy('g', field_index, *field_values)
|
267
|
+
end
|
268
|
+
|
269
|
+
# removes a role inheritance rule from the current named policy.
|
270
|
+
def remove_named_grouping_policy(ptype, *params)
|
271
|
+
rule_added = if params.size == 1 && params[0].is_a?(Array)
|
272
|
+
parent_remove_policy('g', ptype, params[0])
|
273
|
+
else
|
274
|
+
parent_remove_policy('g', ptype, [params])
|
275
|
+
end
|
276
|
+
|
277
|
+
auto_build_role_links ? build_role_links : rule_added
|
278
|
+
end
|
279
|
+
|
280
|
+
# removes role inheritance rules from the current named policy.
|
281
|
+
def remove_named_grouping_policies(ptype, rules)
|
282
|
+
rules_removed = parent_remove_policies('g', ptype, rules)
|
283
|
+
auto_build_role_links ? build_role_links : rules_removed
|
284
|
+
end
|
285
|
+
|
286
|
+
# removes a role inheritance rule from the current named policy, field filters can be specified.
|
287
|
+
def remove_filtered_named_grouping_policy(ptype, field_index, *field_values)
|
288
|
+
rule_removed = parent_remove_filtered_policy('g', ptype, field_index, *field_values)
|
289
|
+
auto_build_role_links ? build_role_links : rule_removed
|
290
|
+
end
|
291
|
+
|
292
|
+
# adds a customized function.
|
293
|
+
def add_function(name, func)
|
294
|
+
fm.add_function(name, func)
|
295
|
+
end
|
296
|
+
end
|
297
|
+
end
|