casbin-ruby 1.0.3 → 1.0.4

data/lib/casbin-ruby/rbac/default_role_manager/role_manager.rb

@@ -0,0 +1,146 @@
+# frozen_string_literal: true
+
+require 'logger'
+require 'casbin-ruby/rbac/role_manager'
+require 'casbin-ruby/rbac/default_role_manager/role'
+
+module Casbin
+  module Rbac
+    module DefaultRoleManager
+      # provides a default implementation for the RoleManager interface
+      class RoleManager < Rbac::RoleManager
+        attr_accessor :all_roles, :max_hierarchy_level, :matching_func, :has_domain_pattern, :domain_matching_func
+        attr_reader :logger
+
+        def initialize(max_hierarchy_level, logger: Logger.new($stdout))
+          super()
+          @logger = logger
+          @all_roles = {}
+          @max_hierarchy_level = max_hierarchy_level
+        end
+
+        def add_matching_func(fn)
+          @matching_func = fn
+        end
+
+        def add_domain_matching_func(fn)
+          self.has_domain_pattern = true
+          self.domain_matching_func = fn
+        end
+
+        def has_role(name)
+          return all_roles.key?(name) if matching_func.nil?
+
+          all_roles.each_key { |key| return true if matching_func.call(name, key) }
+          false
+        end
+
+        def create_role(name)
+          all_roles[name] = Role.new(name) unless all_roles.key?(name)
+          if matching_func
+            all_roles.each do |key, role|
+              all_roles[name].add_role(role) if matching_func.call(name, key) && name != key
+            end
+          end
+
+          all_roles[name]
+        end
+
+        def clear
+          @all_roles = {}
+        end
+
+        def add_link(name1, name2, *domain)
+          names = names_by_domain(name1, name2, *domain)
+
+          role1 = create_role(names[0])
+          role2 = create_role(names[1])
+          role1.add_role(role2)
+        end
+
+        def delete_link(name1, name2, *domain)
+          names = names_by_domain(name1, name2, *domain)
+
+          raise 'error: name1 or name2 does not exist' if !has_role(names[0]) || !has_role(names[1])
+
+          role1 = create_role(names[0])
+          role2 = create_role(names[1])
+          role1.delete_role(role2)
+        end
+
+        def has_link(name1, name2, *domain)
+          names = names_by_domain(name1, name2, *domain)
+
+          return true if names[0] == names[1]
+
+          return false if !has_role(names[0]) || !has_role(names[1])
+
+          if matching_func.nil?
+            role1 = create_role names[0]
+            role1.has_role names[1], max_hierarchy_level
+          else
+            all_roles.each do |key, role|
+              return true if matching_func.call(names[0], key) && role.has_role(names[1], max_hierarchy_level)
+            end
+
+            false
+          end
+        end
+
+        # gets the roles that a subject inherits.
+        # domain is a prefix to the roles.
+        def get_roles(name, *domain)
+          name = name_by_domain(name, *domain)
+          return [] unless has_role(name)
+
+          roles = create_role(name).get_roles
+          if domain.size == 1
+            roles.each_with_index { |value, index| roles[index] = value[domain[0].size + 2..value.size] }
+          end
+
+          roles
+        end
+
+        # gets the users that inherits a subject.
+        # domain is an unreferenced parameter here, may be used in other implementations.
+        def get_users(name, *domain)
+          name = name_by_domain(name, *domain)
+          return [] unless has_role(name)
+
+          all_roles.map do |_key, role|
+            next unless role.has_direct_role(name)
+
+            if domain.size == 1
+              role.name[domain[0].size + 2..role.name.size]
+            else
+              role.name
+            end
+          end.compact
+        end
+
+        def print_roles
+          line = all_roles.map { |_key, role| role.to_string }.compact
+          logger.info(line.join(', '))
+        end
+
+        private
+
+        def names_by_domain(name1, name2, *domain)
+          raise 'error: domain should be 1 parameter' if domain.size > 1
+
+          if domain.size.zero?
+            [name1, name2]
+          else
+            %W[#{domain[0]}::#{name1} #{domain[0]}::#{name2}]
+          end
+        end
+
+        def name_by_domain(name, *domain)
+          raise 'error: domain should be 1 parameter' if domain.size > 1
+
+          domain.size == 1 ? "#{domain[0]}::#{name}" : name
+        end
+      end
+    end
+  end
+end

data/lib/casbin-ruby/rbac/role_manager.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Casbin
+  module Rbac
+    # provides interface to define the operations for managing roles.
+    class RoleManager
+      def clear; end
+
+      def add_link(_name1, _name2, *_domain); end
+
+      def delete_link(_name1, _name2, *_domain); end
+
+      def has_link(_name1, _name2, *_domain); end
+
+      def get_roles(_name, *_domain); end
+
+      def get_users(_name, *_domain); end
+
+      def print_roles; end
+    end
+  end
+end

data/lib/casbin-ruby/synced_enforcer.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'casbin-ruby/util/thread_lock'
+
+module Casbin
+  # SyncedEnforcer wraps Enforcer and provides synchronized access.
+  # It's also a drop-in replacement for Enforcer
+  class SyncedEnforcer < Enforcer
+    # check if SyncedEnforcer is auto loading policies
+    def auto_loading_running?
+      ThreadLock.lock?
+    end
+
+    # starts a thread that will call load_policy every interval seconds
+    def start_auto_load_policy(interval)
+      return if auto_loading_running?
+
+      ThreadLock.thread = Thread.new { auto_load_policy(interval) }
+    end
+
+    # stops the thread started by start_auto_load_policy
+    def stop_auto_load_policy
+      ThreadLock.thread.exit if auto_loading_running?
+    end
+
+    def build_incremental_role_links(op, ptype, rules)
+      model.build_incremental_role_links(role_manager, op, 'g', ptype, rules)
+    end
+
+    private
+
+    def auto_load_policy(interval)
+      while auto_loading_running?
+        sleep(interval)
+        load_policy
+      end
+    end
+  end
+end

data/lib/casbin-ruby/util.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+module Casbin
+  module Util
+    EVAL_REG = /\beval\(([^),]*)\)/.freeze
+
+    class << self
+      # removes the comments starting with # in the text.
+      def remove_comments(string)
+        string.split('#').first.strip
+      end
+
+      # Escapes the dots in the assertion, because the expression evaluation doesn't support such variable names.
+      # Also it replaces attributes with hash syntax (`r.obj.Owner` -> `r_obj['Owner']`,
+      # `r.obj.Owner.Position` -> `r_obj['Owner']['Position']`), because Keisan functions work
+      # in both regular `f(x)` and postfix `x.f()` notation, where for example `a.f(b,c)` is translated internally
+      # to `f(a,b,c)` - https://github.com/project-eutopia/keisan#specifying-functions
+      # For now we replace attributes for the request elements like `r.sub`, `r.obj`, `r.act`
+      # https://casbin.org/docs/en/abac#how-to-use-abac
+      # We support Unicode in attributes for the compatibility with Golang - https://golang.org/ref/spec#Identifiers
+      def escape_assertion(string)
+        string.gsub(/\br\.(\w+)((?:\.[[:alpha:]_][[:alnum:]_]*)+)/) do |_|
+          param = Regexp.last_match(1)
+          attrs = Regexp.last_match(2)[1..-1]&.split('.')&.map { |attr| "['#{attr}']" }
+          attrs = attrs&.join || ''
+          "r_#{param}#{attrs}"
+        end.gsub('r.', 'r_').gsub('p.', 'p_')
+      end
+
+      # removes any duplicated elements in a string array.
+      def array_remove_duplicates(arr)
+        arr.uniq
+      end
+
+      # gets a printable string for a string array.
+      def array_to_string(arr)
+        arr.join(', ')
+      end
+
+      # gets a printable string for variable number of parameters.
+      def params_to_string(*params)
+        params.join(', ')
+      end
+
+      # determine whether matcher contains function eval
+      def has_eval(string)
+        EVAL_REG.match?(string)
+      end
+
+      # replace all occurrences of function eval with rules
+      def replace_eval(expr, rules)
+        i = -1
+        expr.gsub EVAL_REG do |_|
+          i += 1
+          if rules.is_a? Hash
+            "(#{escape_assertion rules[Regexp.last_match 1]})"
+          else
+            "(#{escape_assertion rules[i]})"
+          end
+        end
+      end
+
+      # For now, it does not used.
+      # Returns the parameters of function eval.
+      def get_eval_value(string)
+        string.scan(EVAL_REG).flatten
+      end
+
+      # joins a string and a slice into a new slice.
+      def join_slice(a, *b)
+        Array.new(a).concat b
+      end
+
+      # returns the elements in `a` that aren't in `b`.
+      def set_subtract(a, b)
+        a - b
+      end
+    end
+  end
+end

data/lib/casbin-ruby/util/builtin_operators.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+module Casbin
+  module Util
+    module BuiltinOperators
+      KEY_MATCH2_PATTERN = %r{:[^/]+}.freeze
+      KEY_MATCH3_PATTERN = %r{\{[^/]+\}}.freeze
+
+      class << self
+        # The wrapper for key_match.
+        def key_match_func(*args)
+          key_match(args[0], args[1])
+        end
+
+        def key_match2_func(*args)
+          key_match2(args[0], args[1])
+        end
+
+        def key_match3_func(*args)
+          key_match3(args[0], args[1])
+        end
+
+        # the wrapper for RegexMatch.
+        def regex_match_func(*args)
+          regex_match(args[0], args[1])
+        end
+
+        # the wrapper for globMatch.
+        def glob_match_func(*args)
+          glob_match(args[0], args[1])
+        end
+
+        # the wrapper for IPMatch.
+        def ip_match_func(*args)
+          ip_match(args[0], args[1])
+        end
+
+        # determines whether key1 matches the pattern of key2 (similar to RESTful path), key2 can contain a *.
+        # For example, "/foo/bar" matches "/foo/
+        def key_match(key1, key2)
+          i = key2.index('*')
+          return key1 == key2 if i.nil?
+          return key1[0...i] == key2[0...i] if key1.size > i
+
+          key1 == key2[0...i]
+        end
+
+        # determines whether key1 matches the pattern of key2 (similar to RESTful path), key2 can contain a *.
+        # For example, "/foo/bar" matches "/foo/*", "/resource1" matches "/:resource
+        def key_match2(key1, key2)
+          key2 = key2.gsub('/*', '/.*')
+          key2 = key2.gsub(KEY_MATCH2_PATTERN, '\1[^/]+\2')
+          regex_match(key1, "^#{key2}$")
+        end
+
+        # determines determines whether key1 matches the pattern of key2 (similar to RESTful path), key2 can contain
+        # a *.
+        # For example, "/foo/bar" matches "/foo/*", "/resource1" matches "/{resource}"
+        def key_match3(key1, key2)
+          key2 = key2.gsub('/*', '/.*')
+          key2 = key2.gsub(KEY_MATCH3_PATTERN, '\1[^\/]+\2')
+          regex_match(key1, "^#{key2}$")
+        end
+
+        # determines whether key1 matches the pattern of key2 in regular expression.
+        def regex_match(key1, key2)
+          (key1 =~ /#{key2}/)&.zero? || false
+        end
+
+        # determines whether string matches the pattern in glob expression.
+        def glob_match(string, pattern)
+          File.fnmatch(pattern, string, File::FNM_PATHNAME)
+        end
+
+        # IPMatch determines whether IP address ip1 matches the pattern of IP address ip2, ip2 can be an IP address or
+        # a CIDR pattern.
+        # For example, "192.168.2.123" matches "192.168.2.0/24
+        def ip_match(ip1, ip2)
+          ip = IPAddr.new(ip1)
+          network = IPAddr.new(ip2)
+          network.include?(ip)
+        rescue IPAddr::InvalidAddressError
+          ip1 == ip2
+        end
+
+        # the factory method of the g(_, _) function.
+        def generate_g_function(rm)
+          return ->(*args) { args[0] == args[1] } unless rm
+
+          lambda do |*args|
+            name1 = args[0]
+            name2 = args[1]
+
+            if args.length == 2
+              rm.has_link(name1, name2)
+            else
+              domain = args[2].to_s
+              rm.has_link(name1, name2, domain)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/casbin-ruby/util/evaluator.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'keisan'
+
+module Casbin
+  module Util
+    class Evaluator
+      class NamesConflictError < StandardError; end
+
+      class << self
+        # evaluate an expression, using the operators, functions and names previously setup.
+        def eval(expr, funcs = {}, params = {})
+          validate_names funcs, params
+          Keisan::Calculator.new.evaluate expr, funcs.merge(params)
+        end
+
+        def validate_names(funcs = {}, params = {})
+          conflicted_names = funcs.keys & params.keys
+          return if conflicted_names.empty?
+
+          raise NamesConflictError, "You can't use function names as parameter names: " \
+                                    "#{conflicted_names.map { |name| "`#{name}`" }.join ', '}"
+        end
+      end
+    end
+  end
+end

data/lib/casbin-ruby/util/thread_lock.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'singleton'
+
+class ThreadLock
+  include Singleton
+
+  class << self
+    delegate :thread=, :lock?, to: :instance
+  end
+
+  attr_accessor :thread
+
+  def lock?
+    return false unless thread
+
+    thread.active?
+  end
+end