2022-08-07 23:55:03 +08:00
|
|
|
// Copyright 2021 The Casdoor Authors. All Rights Reserved.
|
|
|
|
|
//
|
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
|
//
|
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
//
|
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
|
|
package object
|
|
|
|
|
|
|
|
|
|
import (
|
2023-01-15 12:06:10 +08:00
|
|
|
"fmt"
|
2022-08-07 23:55:03 +08:00
|
|
|
"strings"
|
|
|
|
|
|
|
|
|
|
"github.com/casbin/casbin/v2"
|
2023-01-15 12:06:10 +08:00
|
|
|
"github.com/casbin/casbin/v2/config"
|
2023-03-19 19:13:48 +07:00
|
|
|
"github.com/casbin/casbin/v2/log"
|
2022-08-07 23:55:03 +08:00
|
|
|
"github.com/casbin/casbin/v2/model"
|
|
|
|
|
"github.com/casdoor/casdoor/conf"
|
2023-02-12 09:33:24 +08:00
|
|
|
xormadapter "github.com/casdoor/xorm-adapter/v3"
|
2022-08-07 23:55:03 +08:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func getEnforcer(permission *Permission) *casbin.Enforcer {
|
2022-08-18 11:49:32 +08:00
|
|
|
tableName := "permission_rule"
|
|
|
|
|
if len(permission.Adapter) != 0 {
|
2023-05-30 15:49:39 +08:00
|
|
|
adapterObj, err := getCasbinAdapter(permission.Owner, permission.Adapter)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-20 01:33:26 +08:00
|
|
|
if adapterObj != nil && adapterObj.Table != "" {
|
|
|
|
|
tableName = adapterObj.Table
|
|
|
|
|
}
|
2022-08-18 11:49:32 +08:00
|
|
|
}
|
2022-08-07 23:55:03 +08:00
|
|
|
tableNamePrefix := conf.GetConfigString("tableNamePrefix")
|
2022-12-02 22:20:18 +08:00
|
|
|
driverName := conf.GetConfigString("driverName")
|
|
|
|
|
dataSourceName := conf.GetConfigRealDataSourceName(driverName)
|
|
|
|
|
adapter, err := xormadapter.NewAdapterWithTableName(driverName, dataSourceName, tableName, tableNamePrefix, true)
|
2022-08-07 23:55:03 +08:00
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
permissionModel, err := getModel(permission.Owner, permission.Model)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-15 12:06:10 +08:00
|
|
|
m := model.Model{}
|
2022-08-07 23:55:03 +08:00
|
|
|
if permissionModel != nil {
|
2023-01-15 12:06:10 +08:00
|
|
|
m, err = GetBuiltInModel(permissionModel.ModelText)
|
|
|
|
|
} else {
|
|
|
|
|
m, err = GetBuiltInModel("")
|
2022-08-07 23:55:03 +08:00
|
|
|
}
|
2023-01-15 12:06:10 +08:00
|
|
|
|
2022-08-07 23:55:03 +08:00
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
2023-03-19 19:13:48 +07:00
|
|
|
// Init an enforcer instance without specifying a model or adapter.
|
|
|
|
|
// If you specify an adapter, it will load all policies, which is a
|
|
|
|
|
// heavy process that can slow down the application.
|
|
|
|
|
enforcer, err := casbin.NewEnforcer(&log.DefaultLogger{}, false)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
2023-01-17 09:27:02 +07:00
|
|
|
|
2023-05-12 21:32:48 +08:00
|
|
|
err = enforcer.InitWithModelAndAdapter(m, nil)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
2023-03-19 19:13:48 +07:00
|
|
|
enforcer.SetAdapter(adapter)
|
|
|
|
|
|
|
|
|
|
policyFilter := xormadapter.Filter{
|
|
|
|
|
V5: []string{permission.GetId()},
|
2023-01-17 09:27:02 +07:00
|
|
|
}
|
|
|
|
|
|
2023-03-19 19:13:48 +07:00
|
|
|
if !HasRoleDefinition(m) {
|
|
|
|
|
policyFilter.Ptype = []string{"p"}
|
2022-08-07 23:55:03 +08:00
|
|
|
}
|
|
|
|
|
|
2023-01-17 09:27:02 +07:00
|
|
|
err = enforcer.LoadFilteredPolicy(policyFilter)
|
2023-01-15 12:06:10 +08:00
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
2023-03-19 19:13:48 +07:00
|
|
|
|
2022-08-07 23:55:03 +08:00
|
|
|
return enforcer
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-17 09:27:02 +07:00
|
|
|
func getPolicies(permission *Permission) [][]string {
|
2022-08-07 23:55:03 +08:00
|
|
|
var policies [][]string
|
2023-01-17 09:27:02 +07:00
|
|
|
|
2023-01-15 12:06:10 +08:00
|
|
|
permissionId := permission.GetId()
|
2022-08-18 11:49:32 +08:00
|
|
|
domainExist := len(permission.Domains) > 0
|
2023-01-17 09:27:02 +07:00
|
|
|
|
2022-08-07 23:55:03 +08:00
|
|
|
for _, user := range permission.Users {
|
|
|
|
|
for _, resource := range permission.Resources {
|
|
|
|
|
for _, action := range permission.Actions {
|
2022-08-18 11:49:32 +08:00
|
|
|
if domainExist {
|
|
|
|
|
for _, domain := range permission.Domains {
|
2022-12-05 17:07:10 +08:00
|
|
|
policies = append(policies, []string{user, domain, resource, strings.ToLower(action), "", permissionId})
|
2022-08-18 11:49:32 +08:00
|
|
|
}
|
|
|
|
|
} else {
|
2022-12-05 17:07:10 +08:00
|
|
|
policies = append(policies, []string{user, resource, strings.ToLower(action), "", "", permissionId})
|
2022-08-18 11:49:32 +08:00
|
|
|
}
|
2022-08-07 23:55:03 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-01-17 09:27:02 +07:00
|
|
|
|
|
|
|
|
for _, role := range permission.Roles {
|
|
|
|
|
for _, resource := range permission.Resources {
|
|
|
|
|
for _, action := range permission.Actions {
|
|
|
|
|
if domainExist {
|
|
|
|
|
for _, domain := range permission.Domains {
|
|
|
|
|
policies = append(policies, []string{role, domain, resource, strings.ToLower(action), "", permissionId})
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
policies = append(policies, []string{role, resource, strings.ToLower(action), "", "", permissionId})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return policies
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
func getRolesInRole(roleId string, visited map[string]struct{}) ([]*Role, error) {
|
|
|
|
|
role, err := GetRole(roleId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return []*Role{}, err
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-28 21:14:37 +07:00
|
|
|
if role == nil {
|
2023-05-30 15:49:39 +08:00
|
|
|
return []*Role{}, nil
|
2023-04-28 21:14:37 +07:00
|
|
|
}
|
|
|
|
|
visited[roleId] = struct{}{}
|
|
|
|
|
|
|
|
|
|
roles := []*Role{role}
|
|
|
|
|
for _, subRole := range role.Roles {
|
|
|
|
|
if _, ok := visited[subRole]; !ok {
|
2023-05-30 15:49:39 +08:00
|
|
|
r, err := getRolesInRole(subRole, visited)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return []*Role{}, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
roles = append(roles, r...)
|
2023-04-28 21:14:37 +07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
return roles, nil
|
2023-04-28 21:14:37 +07:00
|
|
|
}
|
|
|
|
|
|
2023-01-17 09:27:02 +07:00
|
|
|
func getGroupingPolicies(permission *Permission) [][]string {
|
|
|
|
|
var groupingPolicies [][]string
|
|
|
|
|
|
|
|
|
|
domainExist := len(permission.Domains) > 0
|
|
|
|
|
permissionId := permission.GetId()
|
|
|
|
|
|
2023-04-28 21:14:37 +07:00
|
|
|
for _, roleId := range permission.Roles {
|
|
|
|
|
visited := map[string]struct{}{}
|
2023-05-30 15:49:39 +08:00
|
|
|
rolesInRole, err := getRolesInRole(roleId, visited)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
2023-04-28 21:14:37 +07:00
|
|
|
for _, role := range rolesInRole {
|
|
|
|
|
roleId := role.GetId()
|
|
|
|
|
for _, subUser := range role.Users {
|
|
|
|
|
if domainExist {
|
|
|
|
|
for _, domain := range permission.Domains {
|
|
|
|
|
groupingPolicies = append(groupingPolicies, []string{subUser, roleId, domain, "", "", permissionId})
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
groupingPolicies = append(groupingPolicies, []string{subUser, roleId, "", "", "", permissionId})
|
2022-08-18 11:49:32 +08:00
|
|
|
}
|
|
|
|
|
}
|
2023-01-17 09:27:02 +07:00
|
|
|
|
2023-04-28 21:14:37 +07:00
|
|
|
for _, subRole := range role.Roles {
|
|
|
|
|
if domainExist {
|
|
|
|
|
for _, domain := range permission.Domains {
|
|
|
|
|
groupingPolicies = append(groupingPolicies, []string{subRole, roleId, domain, "", "", permissionId})
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
groupingPolicies = append(groupingPolicies, []string{subRole, roleId, "", "", "", permissionId})
|
2022-08-18 11:49:32 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-08-07 23:55:03 +08:00
|
|
|
}
|
2023-01-17 09:27:02 +07:00
|
|
|
|
|
|
|
|
return groupingPolicies
|
2022-08-07 23:55:03 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func addPolicies(permission *Permission) {
|
|
|
|
|
enforcer := getEnforcer(permission)
|
2023-01-17 09:27:02 +07:00
|
|
|
policies := getPolicies(permission)
|
|
|
|
|
|
|
|
|
|
_, err := enforcer.AddPolicies(policies)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func addGroupingPolicies(permission *Permission) {
|
|
|
|
|
enforcer := getEnforcer(permission)
|
|
|
|
|
groupingPolicies := getGroupingPolicies(permission)
|
2022-08-18 11:49:32 +08:00
|
|
|
|
|
|
|
|
if len(groupingPolicies) > 0 {
|
|
|
|
|
_, err := enforcer.AddGroupingPolicies(groupingPolicies)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-08-07 23:55:03 +08:00
|
|
|
}
|
|
|
|
|
|
2023-01-17 09:27:02 +07:00
|
|
|
func removeGroupingPolicies(permission *Permission) {
|
2022-08-07 23:55:03 +08:00
|
|
|
enforcer := getEnforcer(permission)
|
2023-01-17 09:27:02 +07:00
|
|
|
groupingPolicies := getGroupingPolicies(permission)
|
2022-08-07 23:55:03 +08:00
|
|
|
|
2022-08-18 11:49:32 +08:00
|
|
|
if len(groupingPolicies) > 0 {
|
|
|
|
|
_, err := enforcer.RemoveGroupingPolicies(groupingPolicies)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
2022-08-15 10:24:26 +08:00
|
|
|
}
|
2023-01-17 09:27:02 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func removePolicies(permission *Permission) {
|
|
|
|
|
enforcer := getEnforcer(permission)
|
|
|
|
|
policies := getPolicies(permission)
|
2022-08-15 10:24:26 +08:00
|
|
|
|
2022-08-18 11:49:32 +08:00
|
|
|
_, err := enforcer.RemovePolicies(policies)
|
2022-08-15 10:24:26 +08:00
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-12 21:32:48 +08:00
|
|
|
type CasbinRequest = []interface{}
|
2022-12-05 16:08:17 +08:00
|
|
|
|
2023-06-04 17:29:34 +08:00
|
|
|
func Enforce(permissionId string, request *CasbinRequest) (bool, error) {
|
2023-05-30 15:49:39 +08:00
|
|
|
permission, err := GetPermission(permissionId)
|
|
|
|
|
if err != nil {
|
2023-06-04 17:29:34 +08:00
|
|
|
return false, err
|
2023-05-30 15:49:39 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-12 21:32:48 +08:00
|
|
|
enforcer := getEnforcer(permission)
|
2023-06-04 17:29:34 +08:00
|
|
|
return enforcer.Enforce(*request...)
|
2022-08-07 23:55:03 +08:00
|
|
|
}
|
|
|
|
|
|
2023-06-04 17:29:34 +08:00
|
|
|
func BatchEnforce(permissionId string, requests *[]CasbinRequest) ([]bool, error) {
|
2023-05-30 15:49:39 +08:00
|
|
|
permission, err := GetPermission(permissionId)
|
|
|
|
|
if err != nil {
|
2023-06-04 17:29:34 +08:00
|
|
|
res := []bool{}
|
|
|
|
|
for i := 0; i < len(*requests); i++ {
|
|
|
|
|
res = append(res, false)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return res, err
|
2023-05-30 15:49:39 +08:00
|
|
|
}
|
|
|
|
|
|
2022-08-07 23:55:03 +08:00
|
|
|
enforcer := getEnforcer(permission)
|
2023-06-04 17:29:34 +08:00
|
|
|
return enforcer.BatchEnforce(*requests)
|
2022-08-07 23:55:03 +08:00
|
|
|
}
|
|
|
|
|
|
2022-08-18 11:49:32 +08:00
|
|
|
func getAllValues(userId string, fn func(enforcer *casbin.Enforcer) []string) []string {
|
2023-06-16 21:44:21 +07:00
|
|
|
permissions, _, err := GetPermissionsAndRolesByUser(userId)
|
2023-05-30 15:49:39 +08:00
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-18 11:49:32 +08:00
|
|
|
for _, role := range GetAllRoles(userId) {
|
2023-05-30 15:49:39 +08:00
|
|
|
permissionsByRole, err := GetPermissionsByRole(role)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
permissions = append(permissions, permissionsByRole...)
|
2022-08-18 11:49:32 +08:00
|
|
|
}
|
|
|
|
|
|
2022-08-07 23:55:03 +08:00
|
|
|
var values []string
|
|
|
|
|
for _, permission := range permissions {
|
|
|
|
|
enforcer := getEnforcer(permission)
|
2022-08-18 11:49:32 +08:00
|
|
|
values = append(values, fn(enforcer)...)
|
2022-08-07 23:55:03 +08:00
|
|
|
}
|
|
|
|
|
return values
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func GetAllObjects(userId string) []string {
|
2022-08-18 11:49:32 +08:00
|
|
|
return getAllValues(userId, func(enforcer *casbin.Enforcer) []string {
|
|
|
|
|
return enforcer.GetAllObjects()
|
|
|
|
|
})
|
2022-08-07 23:55:03 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func GetAllActions(userId string) []string {
|
2022-08-18 11:49:32 +08:00
|
|
|
return getAllValues(userId, func(enforcer *casbin.Enforcer) []string {
|
|
|
|
|
return enforcer.GetAllActions()
|
|
|
|
|
})
|
2022-08-07 23:55:03 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func GetAllRoles(userId string) []string {
|
2023-05-30 15:49:39 +08:00
|
|
|
roles, err := GetRolesByUser(userId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-07 23:55:03 +08:00
|
|
|
var res []string
|
|
|
|
|
for _, role := range roles {
|
|
|
|
|
res = append(res, role.Name)
|
|
|
|
|
}
|
|
|
|
|
return res
|
|
|
|
|
}
|
2023-01-15 12:06:10 +08:00
|
|
|
|
|
|
|
|
func GetBuiltInModel(modelText string) (model.Model, error) {
|
|
|
|
|
if modelText == "" {
|
|
|
|
|
modelText = `
|
|
|
|
|
[request_definition]
|
|
|
|
|
r = sub, obj, act
|
|
|
|
|
|
|
|
|
|
[policy_definition]
|
|
|
|
|
p = sub, obj, act, "", "", permissionId
|
|
|
|
|
|
|
|
|
|
[role_definition]
|
|
|
|
|
g = _, _
|
|
|
|
|
|
|
|
|
|
[policy_effect]
|
|
|
|
|
e = some(where (p.eft == allow))
|
|
|
|
|
|
|
|
|
|
[matchers]
|
|
|
|
|
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act`
|
|
|
|
|
return model.NewModelFromString(modelText)
|
|
|
|
|
} else {
|
|
|
|
|
cfg, err := config.NewConfigFromText(modelText)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// load [policy_definition]
|
|
|
|
|
policyDefinition := strings.Split(cfg.String("policy_definition::p"), ",")
|
|
|
|
|
fieldsNum := len(policyDefinition)
|
|
|
|
|
if fieldsNum > builtInAvailableField {
|
|
|
|
|
panic(fmt.Errorf("the maximum policy_definition field number cannot exceed %d", builtInAvailableField))
|
|
|
|
|
}
|
|
|
|
|
// filled empty field with "" and V5 with "permissionId"
|
|
|
|
|
for i := builtInAvailableField - fieldsNum; i > 0; i-- {
|
|
|
|
|
policyDefinition = append(policyDefinition, "")
|
|
|
|
|
}
|
|
|
|
|
policyDefinition = append(policyDefinition, "permissionId")
|
|
|
|
|
|
|
|
|
|
m, _ := model.NewModelFromString(modelText)
|
|
|
|
|
m.AddDef("p", "p", strings.Join(policyDefinition, ","))
|
|
|
|
|
|
|
|
|
|
return m, err
|
|
|
|
|
}
|
|
|
|
|
}
|
