casdoor/authz/authz.go

// Copyright 2021 The Casdoor Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package authz

import (
	"strings"

	"github.com/casbin/casbin/v2"
	"github.com/casdoor/casdoor/conf"
	"github.com/casdoor/casdoor/object"
	"github.com/casdoor/casdoor/util"
	stringadapter "github.com/qiangmzsx/string-adapter/v2"
)

var Enforcer *casbin.Enforcer

func InitApi() {
	var err error

	e, err := object.GetEnforcer(util.GetId("built-in", "api-enforcer-built-in"))
	if err != nil {
		panic(err)
	}
	Enforcer, err = e.InitEnforcer()
	if err != nil {
		panic(err)
	}

	Enforcer.ClearPolicy()

	// if len(Enforcer.GetPolicy()) == 0 {
	if true {
		ruleText := `
p, built-in, *, *, *, *, *
p, app, *, *, *, *, *
p, *, *, POST, /api/signup, *, *
p, *, *, GET, /api/get-email-and-phone, *, *
p, *, *, POST, /api/login, *, *
p, *, *, GET, /api/get-app-login, *, *
p, *, *, POST, /api/logout, *, *
p, *, *, GET, /api/logout, *, *
p, *, *, GET, /api/get-account, *, *
p, *, *, GET, /api/userinfo, *, *
p, *, *, GET, /api/user, *, *
p, *, *, GET, /api/health, *, *
p, *, *, POST, /api/webhook, *, *
p, *, *, GET, /api/get-webhook-event, *, *
p, *, *, GET, /api/get-captcha-status, *, *
p, *, *, *, /api/login/oauth, *, *
p, *, *, GET, /api/get-application, *, *
p, *, *, GET, /api/get-organization-applications, *, *
p, *, *, GET, /api/get-user, *, *
p, *, *, GET, /api/get-user-application, *, *
p, *, *, GET, /api/get-resources, *, *
p, *, *, GET, /api/get-records, *, *
p, *, *, GET, /api/get-product, *, *
p, *, *, POST, /api/buy-product, *, *
p, *, *, GET, /api/get-payment, *, *
p, *, *, POST, /api/update-payment, *, *
p, *, *, POST, /api/invoice-payment, *, *
p, *, *, POST, /api/notify-payment, *, *
p, *, *, POST, /api/unlink, *, *
p, *, *, POST, /api/set-password, *, *
p, *, *, POST, /api/send-verification-code, *, *
p, *, *, GET, /api/get-captcha, *, *
p, *, *, POST, /api/verify-captcha, *, *
p, *, *, POST, /api/verify-code, *, *
p, *, *, POST, /api/reset-email-or-phone, *, *
p, *, *, POST, /api/upload-resource, *, *
p, *, *, GET, /.well-known/openid-configuration, *, *
p, *, *, *, /.well-known/jwks, *, *
p, *, *, GET, /api/get-saml-login, *, *
p, *, *, POST, /api/acs, *, *
p, *, *, GET, /api/saml/metadata, *, *
p, *, *, *, /cas, *, *
p, *, *, *, /api/webauthn, *, *
p, *, *, GET, /api/get-release, *, *
p, *, *, GET, /api/get-default-application, *, *
p, *, *, GET, /api/get-prometheus-info, *, *
p, *, *, *, /api/metrics, *, *
p, *, *, GET, /api/get-pricing, *, *
p, *, *, GET, /api/get-plan, *, *
p, *, *, GET, /api/get-organization-names, *, *
`

		sa := stringadapter.NewAdapter(ruleText)
		// load all rules from string adapter to enforcer's memory
		err := sa.LoadPolicy(Enforcer.GetModel())
		if err != nil {
			panic(err)
		}

		// save all rules from enforcer's memory to Xorm adapter (DB)
		// same as:
		// a.SavePolicy(Enforcer.GetModel())
		err = Enforcer.SavePolicy()
		if err != nil {
			panic(err)
		}
	}
}

func IsAllowed(subOwner string, subName string, method string, urlPath string, objOwner string, objName string) bool {
	if conf.IsDemoMode() {
		if !isAllowedInDemoMode(subOwner, subName, method, urlPath, objOwner, objName) {
			return false
		}
	}

	user, err := object.GetUser(util.GetId(subOwner, subName))
	if err != nil {
		panic(err)
	}

	if user != nil && user.IsAdmin && (subOwner == objOwner || (objOwner == "admin")) {
		return true
	}

	res, err := Enforcer.Enforce(subOwner, subName, method, urlPath, objOwner, objName)
	if err != nil {
		panic(err)
	}

	return res
}

func isAllowedInDemoMode(subOwner string, subName string, method string, urlPath string, objOwner string, objName string) bool {
	if method == "POST" {
		if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/send-verification-code" || urlPath == "/api/send-email" || urlPath == "/api/verify-captcha" {
			return true
		} else if urlPath == "/api/update-user" {
			// Allow ordinary users to update their own information
			if subOwner == objOwner && subName == objName && !(subOwner == "built-in" && subName == "admin") {
				return true
			}
			return false
		} else {
			return false
		}
	}

	// If method equals GET
	return true
}
Update license headers. 2022-02-13 23:39:27 +08:00			`// Copyright 2021 The Casdoor Authors. All Rights Reserved.`
Add AuthzFilter. 2021-02-28 20:23:50 +08:00			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package authz`

			`import (`
Fix 403 bug for /api/login/* APIs 2022-09-09 01:53:21 +08:00			`"strings"`

Add AuthzFilter. 2021-02-28 20:23:50 +08:00			`"github.com/casbin/casbin/v2"`
Update import path. 2022-01-20 14:11:46 +08:00			`"github.com/casdoor/casdoor/conf"`
Improve org admin permissions 2022-10-07 15:59:23 +08:00			`"github.com/casdoor/casdoor/object"`
Use util.GetId() 2023-05-19 14:26:32 +08:00			`"github.com/casdoor/casdoor/util"`
Add AuthzFilter. 2021-02-28 20:23:50 +08:00			`stringadapter "github.com/qiangmzsx/string-adapter/v2"`
			`)`

			`var Enforcer *casbin.Enforcer`

feat: make hard-coded authz adapter editable, rename adapter to ormer (#2149) * refactor: rename casbinAdapter to casdoorAdapter * feat: add initEnforcer * fix: router * refactor: make hard-coded code configurable * fix: data type * feat: support sqlite3 * feat: disable delete and edit name for built in resources * feat: optimize code * fix: init * fix: e2e * fix: remove datasourcename * fix: revert rename * refactor: change all ORM's Adatper to Ormer * refactor: name 2023-07-29 15:07:04 +08:00			`func InitApi() {`
Add AuthzFilter. 2021-02-28 20:23:50 +08:00			`var err error`

feat: make hard-coded authz adapter editable, rename adapter to ormer (#2149) * refactor: rename casbinAdapter to casdoorAdapter * feat: add initEnforcer * fix: router * refactor: make hard-coded code configurable * fix: data type * feat: support sqlite3 * feat: disable delete and edit name for built in resources * feat: optimize code * fix: init * fix: e2e * fix: remove datasourcename * fix: revert rename * refactor: change all ORM's Adatper to Ormer * refactor: name 2023-07-29 15:07:04 +08:00			`e, err := object.GetEnforcer(util.GetId("built-in", "api-enforcer-built-in"))`
Add AuthzFilter. 2021-02-28 20:23:50 +08:00			`if err != nil {`
			`panic(err)`
			`}`
feat: make hard-coded authz adapter editable, rename adapter to ormer (#2149) * refactor: rename casbinAdapter to casdoorAdapter * feat: add initEnforcer * fix: router * refactor: make hard-coded code configurable * fix: data type * feat: support sqlite3 * feat: disable delete and edit name for built in resources * feat: optimize code * fix: init * fix: e2e * fix: remove datasourcename * fix: revert rename * refactor: change all ORM's Adatper to Ormer * refactor: name 2023-07-29 15:07:04 +08:00			`Enforcer, err = e.InitEnforcer()`
Add AuthzFilter. 2021-02-28 20:23:50 +08:00			`if err != nil {`
			`panic(err)`
			`}`

Call Enforcer.ClearPolicy() to remove previous rules in DB. 2021-05-13 22:50:50 +08:00			`Enforcer.ClearPolicy()`

chore(style): use `gofumpt` to fmt go code (#967) 2022-08-07 12:26:14 +08:00			`// if len(Enforcer.GetPolicy()) == 0 {`
Parse subOwner, subName. 2021-02-28 23:14:48 +08:00			`if true {`
Add AuthzFilter. 2021-02-28 20:23:50 +08:00			ruleText := `
Parse subOwner, subName. 2021-02-28 23:14:48 +08:00			`p, built-in, , , , , *`
Support server-side upload-resource call. 2021-09-05 01:03:29 +08:00			`p, app, , , , , *`
Replace "register" with "sign up". 2021-04-27 22:47:44 +08:00			`p, , , POST, /api/signup, , `
feat: refactor reset password api and forgetPage.js (#1601) 2023-03-01 15:57:42 +08:00			`p, , , GET, /api/get-email-and-phone, , `
Parse subOwner, subName. 2021-02-28 23:14:48 +08:00			`p, , , POST, /api/login, , `
Fix AuthCallback's code handling. 2021-03-21 00:38:00 +08:00			`p, , , GET, /api/get-app-login, , `
Parse subOwner, subName. 2021-02-28 23:14:48 +08:00			`p, , , POST, /api/logout, , `
feat: add GET method of logout API (#903) 2022-07-22 21:13:49 +08:00			`p, , , GET, /api/logout, , `
Parse subOwner, subName. 2021-02-28 23:14:48 +08:00			`p, , , GET, /api/get-account, , `
feat: add userinfo endpoint (#447) * feat: add userinfo endpoint Signed-off-by: 0x2a <stevesough@gmail.com> * feat: add scope support Signed-off-by: 0x2a <stevesough@gmail.com> * fix: modify the endpoint of discovery Signed-off-by: 0x2a <stevesough@gmail.com> 2022-01-26 11:56:01 +08:00			`p, , , GET, /api/userinfo, , `
Add /api/user API for Flarum's FoF Passport plugin 2023-03-24 01:02:04 +08:00			`p, , , GET, /api/user, , `
Add /api/health API 2023-05-16 21:47:34 +08:00			`p, , , GET, /api/health, , `
feat: support login by following wechat official account (#1284) * show QRcode when click WeChat Icon * update how to show qrcode * handle wechat scan qrcode * fix api problems * fix url problems * fix problems * modify get frequency * remove useless print * fix:fix PR problems * fix: fix PR problems * fix:fix PR problem * fix IMG load delay problems * fix:fix provider problems * fix test problems * use gofumpt to fmt code * fix:delete useless variables * feat:add button for follow official account * fix:fix review problems * use gofumpt to fmt code * fix:fix scantype problems * fix Response problem * use gofumpt to format code 2022-11-13 15:05:15 +08:00			`p, , , POST, /api/webhook, , `
			`p, , , GET, /api/get-webhook-event, , `
feat: add dynamic mode for provider to enable verification code when the login password is wrong (#1753) * fix: update webAuthnBufferDecode to support Base64URL for WebAuthn updates * feat: enable verification code when the login password is wrong * fix: only enable captcha when login in password * fix: disable login error limits when captcha on * fix: pass "enableCaptcha" as an optional param * fix: change enbleCapctah to optional bool param 2023-04-22 16:16:25 +08:00			`p, , , GET, /api/get-captcha-status, , `
fix: fix failure of introspection (#682) * fix: fix failure of introspection * Update token.go Co-authored-by: Yang Luo <hsluoyz@qq.com> 2022-04-22 22:45:52 +08:00			`p, , , , /api/login/oauth, , *`
Parse subOwner, subName. 2021-02-28 23:14:48 +08:00			`p, , , GET, /api/get-application, , `
fix: Restrict the request permissions of providers and applications (#970) 2022-08-07 16:05:05 +08:00			`p, , , GET, /api/get-organization-applications, , `
Add other authz rules. 2021-03-06 00:40:11 +08:00			`p, , , GET, /api/get-user, , `
Replace getDefaultApplication() with getUserApplication(). 2021-07-11 23:49:06 +08:00			`p, , , GET, /api/get-user-application, , `
Show resource list page to users. 2021-09-06 00:49:10 +08:00			`p, , , GET, /api/get-resources, , `
Show logs to org admin 2022-09-18 16:16:45 +08:00			`p, , , GET, /api/get-records, , `
Add GetUserPayments() API. 2022-03-13 11:51:33 +08:00			`p, , , GET, /api/get-product, , `
Add returnUrl to product. 2022-03-13 16:25:54 +08:00			`p, , , POST, /api/buy-product, , `
			`p, , , GET, /api/get-payment, , `
Scroll to payment page bottom. 2022-04-27 01:06:54 +08:00			`p, , , POST, /api/update-payment, , `
			`p, , , POST, /api/invoice-payment, , `
Fix bug in uploadFile()'s URL. 2022-07-17 14:29:06 +08:00			`p, , , POST, /api/notify-payment, , `
Fix "/api/unlink" bug. 2021-04-27 20:42:19 +08:00			`p, , , POST, /api/unlink, , `
Fix add/update salted password. 2021-05-16 21:04:26 +08:00			`p, , , POST, /api/set-password, , `
feat: check user email and phone when signing up Signed-off-by: Kininaru <shiftregister233@outlook.com> phone prefix error Signed-off-by: Kininaru <shiftregister233@outlook.com> fix i18n Signed-off-by: Kininaru <shiftregister233@outlook.com> fix i18n error Signed-off-by: Kininaru <shiftregister233@outlook.com> removed useless file Signed-off-by: Kininaru <shiftregister233@outlook.com> move timeout to app.conf Signed-off-by: Kininaru <shiftregister233@outlook.com> i18n Signed-off-by: Kininaru <shiftregister233@outlook.com> made verification code reusable Signed-off-by: Kininaru <shiftregister233@outlook.com> 2021-05-18 20:11:03 +08:00			`p, , , POST, /api/send-verification-code, , `
feat: support configurable captcha(reCaptcha & hCaptcha) (#765) * feat: support configurable captcha(layered architecture) * refactor & add captcha logo * rename captcha * Update authz.go * Update hcaptcha.go * Update default.go * Update recaptcha.go Co-authored-by: Gucheng <85475922+nomeguy@users.noreply.github.com> 2022-06-18 16:00:31 +08:00			`p, , , GET, /api/get-captcha, , `
			`p, , , POST, /api/verify-captcha, , `
feat: optimize the "forget password" page (#1709) 2023-04-06 23:06:18 +08:00			`p, , , POST, /api/verify-code, , `
Fix small issues. 2021-05-23 23:38:38 +08:00			`p, , , POST, /api/reset-email-or-phone, , `
Add getInitScore(). 2021-08-28 11:13:38 +08:00			`p, , , POST, /api/upload-resource, , `
Add /.well-known/openid-configuration route. 2021-09-25 14:54:13 +08:00			`p, , , GET, /.well-known/openid-configuration, , `
fix: oidc jwks endpoint only return default cert (#506) Signed-off-by: Steve0x2a <stevesough@gmail.com> 2022-02-21 23:17:16 +08:00			`p, , , , /.well-known/jwks, , *`
feat: support SAML and test with aliyun IDaaS (#346) * feat: support SAML and test with aliyun IDaaS Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * refactor: refactor saml.go and router Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * fix: add param to getSamlLogin() Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * feat: add inputs to parse metadata automatically and show sp-acs-url, sp-entity-id Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> 2021-12-06 21:46:50 +08:00			`p, , , GET, /api/get-saml-login, , `
			`p, , , POST, /api/acs, , `
feat: add casdoor as saml idp support (#571) * feat: add casdoor as saml idp support Signed-off-by: 0x2a <stevesough@gmail.com> * fix: merge code Signed-off-by: 0x2a <stevesough@gmail.com> * fix: modify response value Signed-off-by: Steve0x2a <stevesough@gmail.com> * fix: modify samlResponse generation method Signed-off-by: Steve0x2a <stevesough@gmail.com> * fix: generating a response using etree Signed-off-by: Steve0x2a <stevesough@gmail.com> * fix: change metadata url Signed-off-by: Steve0x2a <stevesough@gmail.com> * fix: modify front-end adaptation Signed-off-by: Steve0x2a <stevesough@gmail.com> * fix: recovering an incorrect override Signed-off-by: Steve0x2a <stevesough@gmail.com> * fix: change the samlResponse location Signed-off-by: Steve0x2a <stevesough@gmail.com> * fix: add relayState support Signed-off-by: Steve0x2a <stevesough@gmail.com> 2022-04-08 23:06:48 +08:00			`p, , , GET, /api/saml/metadata, , `
feat: support CAS with organizations and applications (#621) 2022-04-04 00:09:04 +08:00			`p, , , , /cas, , *`
feat: support webauthn (#407) * feat: support webauthn * Update init.go * Update user_webauthn.go * Update UserEditPage.js * Update WebauthnCredentialTable.js * Update LoginPage.js Co-authored-by: Gucheng <85475922+nomeguy@users.noreply.github.com> 2022-07-12 20:06:01 +08:00			`p, , , , /api/webauthn, , *`
feat: add system info page (#1033) * feat: add system info page * feat: add some code * fix 2022-08-20 21:22:46 +08:00			`p, , , GET, /api/get-release, , `
feat: add defaultApplication for Orgnization (#1111) * feat: add defaultApplication for Orgnization Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * fix: remove redundant codes Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * fix: don't use app-built-in Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * fix: add query param Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * Update organization.go * Update organization.go Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> Co-authored-by: Yang Luo <hsluoyz@qq.com> 2022-09-10 20:41:45 +08:00			`p, , , GET, /api/get-default-application, , `
feat: support for prometheus (#1784) 2023-04-25 16:06:09 +08:00			`p, , , GET, /api/get-prometheus-info, , `
			`p, , , , /api/metrics, , *`
feat: add subscription managment (#1858) * feat: subscription managment * fix: remove console log * fix: webhooks * fix linter * fix: fix via gofumpt * fix: review changes * fix: Copyright 2023 * Update account.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com> 2023-05-20 10:56:21 +03:00			`p, , , GET, /api/get-pricing, , `
			`p, , , GET, /api/get-plan, , `
feat: specify login organization 2023-05-27 19:02:54 +08:00			`p, , , GET, /api/get-organization-names, , `
Add AuthzFilter. 2021-02-28 20:23:50 +08:00			`

			`sa := stringadapter.NewAdapter(ruleText)`
			`// load all rules from string adapter to enforcer's memory`
			`err := sa.LoadPolicy(Enforcer.GetModel())`
			`if err != nil {`
			`panic(err)`
			`}`

			`// save all rules from enforcer's memory to Xorm adapter (DB)`
			`// same as:`
			`// a.SavePolicy(Enforcer.GetModel())`
			`err = Enforcer.SavePolicy()`
			`if err != nil {`
			`panic(err)`
			`}`
			`}`
			`}`

Parse subOwner, subName. 2021-02-28 23:14:48 +08:00			`func IsAllowed(subOwner string, subName string, method string, urlPath string, objOwner string, objName string) bool {`
feat: add demo mode (#1097) * feat: add demo mode * feat: add demo mode * Update app.conf * Update authz.go * Update authz.go Co-authored-by: Yang Luo <hsluoyz@qq.com> 2022-09-04 21:20:19 +08:00			`if conf.IsDemoMode() {`
			`if !isAllowedInDemoMode(subOwner, subName, method, urlPath, objOwner, objName) {`
			`return false`
			`}`
			`}`

feat: return most backend API errors to frontend (#1836) * feat: return most backend API errros to frontend Signed-off-by: yehong <239859435@qq.com> * refactor: reduce int type change Signed-off-by: yehong <239859435@qq.com> * feat: return err backend in token.go Signed-off-by: yehong <239859435@qq.com> --------- Signed-off-by: yehong <239859435@qq.com> 2023-05-30 15:49:39 +08:00			`user, err := object.GetUser(util.GetId(subOwner, subName))`
			`if err != nil {`
			`panic(err)`
			`}`

feat: fix org admin permissions (#1822) 2023-05-09 00:06:52 +08:00			`if user != nil && user.IsAdmin && (subOwner == objOwner \|\| (objOwner == "admin")) {`
Improve org admin permissions 2022-10-07 15:59:23 +08:00			`return true`
			`}`

Parse subOwner, subName. 2021-02-28 23:14:48 +08:00			`res, err := Enforcer.Enforce(subOwner, subName, method, urlPath, objOwner, objName)`
Add AuthzFilter. 2021-02-28 20:23:50 +08:00			`if err != nil {`
			`panic(err)`
			`}`

			`return res`
			`}`
feat: add demo mode (#1097) * feat: add demo mode * feat: add demo mode * Update app.conf * Update authz.go * Update authz.go Co-authored-by: Yang Luo <hsluoyz@qq.com> 2022-09-04 21:20:19 +08:00
			`func isAllowedInDemoMode(subOwner string, subName string, method string, urlPath string, objOwner string, objName string) bool {`
			`if method == "POST" {`
Improve default captcha UI 2023-03-02 21:40:27 +08:00			`if strings.HasPrefix(urlPath, "/api/login") \|\| urlPath == "/api/logout" \|\| urlPath == "/api/signup" \|\| urlPath == "/api/send-verification-code" \|\| urlPath == "/api/send-email" \|\| urlPath == "/api/verify-captcha" {`
feat: add demo mode (#1097) * feat: add demo mode * feat: add demo mode * Update app.conf * Update authz.go * Update authz.go Co-authored-by: Yang Luo <hsluoyz@qq.com> 2022-09-04 21:20:19 +08:00			`return true`
			`} else if urlPath == "/api/update-user" {`
			`// Allow ordinary users to update their own information`
			`if subOwner == objOwner && subName == objName && !(subOwner == "built-in" && subName == "admin") {`
			`return true`
			`}`
			`return false`
			`} else {`
			`return false`
			`}`
			`}`

			`// If method equals GET`
			`return true`
			`}`