feat: support RBAC with domains model and add adapter to specify the table name for policy storage (#1020)

* feat: support RBAC with domains model and add adapter to specify the table name for policy storage

Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>

* fix some bugs

Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>

* add i18n

Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>

Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>

object/permission.go

@@ -32,6 +32,7 @@ type Permission struct {
 	Domains []string `xorm:"mediumtext" json:"domains"`
 
 	Model        string   `xorm:"varchar(100)" json:"model"`
+	Adapter      string   `xorm:"varchar(100)" json:"adapter"`
 	ResourceType string   `xorm:"varchar(100)" json:"resourceType"`
 	Resources    []string `xorm:"mediumtext" json:"resources"`
 	Actions      []string `xorm:"mediumtext" json:"actions"`
@@ -52,6 +53,7 @@ type PermissionRule struct {
 	V3    string `xorm:"varchar(100) index not null default ''" json:"v3"`
 	V4    string `xorm:"varchar(100) index not null default ''" json:"v4"`
 	V5    string `xorm:"varchar(100) index not null default ''" json:"v5"`
+	Id    string `xorm:"varchar(100) index not null default ''" json:"id"`
 }
 
 func GetPermissionCount(owner, field, value string) int {
@@ -121,7 +123,18 @@ func UpdatePermission(id string, permission *Permission) bool {
 	}
 
 	if affected != 0 {
+		if oldPermission.Adapter != "" {
 			removePolicies(oldPermission)
+			if oldPermission.Adapter != permission.Adapter {
+				isEmpty, _ := adapter.Engine.IsTableEmpty(oldPermission.Adapter)
+				if isEmpty {
+					err = adapter.Engine.DropTables(oldPermission.Adapter)
+					if err != nil {
+						panic(err)
+					}
+				}
+			}
+		}
 		addPolicies(permission)
 	}
 
@@ -134,10 +147,6 @@ func AddPermission(permission *Permission) bool {
 		panic(err)
 	}
 
-	if affected != 0 {
-		addPolicies(permission)
-	}
-
 	return affected != 0
 }
 
@@ -147,8 +156,17 @@ func DeletePermission(permission *Permission) bool {
 		panic(err)
 	}
 
-	if affected != 0 {
+	if affected != 0 && permission.Adapter != "" {
 		removePolicies(permission)
+		if permission.Adapter != "permission_rule" {
+			isEmpty, _ := adapter.Engine.IsTableEmpty(permission.Adapter)
+			if isEmpty {
+				err = adapter.Engine.DropTables(permission.Adapter)
+				if err != nil {
+					panic(err)
+				}
+			}
+		}
 	}
 
 	return affected != 0
@@ -168,6 +186,16 @@ func GetPermissionsByUser(userId string) []*Permission {
 	return permissions
 }
 
+func GetPermissionsByRole(roleId string) []*Permission {
+	permissions := []*Permission{}
+	err := adapter.Engine.Where("roles like ?", "%"+roleId+"%").Find(&permissions)
+	if err != nil {
+		panic(err)
+	}
+
+	return permissions
+}
+
 func GetPermissionsBySubmitter(owner string, submitter string) []*Permission {
 	permissions := []*Permission{}
 	err := adapter.Engine.Desc("created_time").Find(&permissions, &Permission{Owner: owner, Submitter: submitter})

object/permission_enforcer.go

@@ -24,8 +24,12 @@ import (
 )
 
 func getEnforcer(permission *Permission) *casbin.Enforcer {
+	tableName := "permission_rule"
+	if len(permission.Adapter) != 0 {
+		tableName = permission.Adapter
+	}
 	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
-	adapter, err := xormadapter.NewAdapterWithTableName(conf.GetConfigString("driverName"), conf.GetBeegoConfDataSourceName()+conf.GetConfigString("dbName"), "permission_rule", tableNamePrefix, true)
+	adapter, err := xormadapter.NewAdapterWithTableName(conf.GetConfigString("driverName"), conf.GetBeegoConfDataSourceName()+conf.GetConfigString("dbName"), tableName, tableNamePrefix, true)
 	if err != nil {
 		panic(err)
 	}
@@ -35,7 +39,7 @@ func getEnforcer(permission *Permission) *casbin.Enforcer {
 r = sub, obj, act
 
 [policy_definition]
-p = permission, sub, obj, act
+p = sub, obj, act
 
 [role_definition]
 g = _, _
@@ -62,28 +66,68 @@ m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act`
 	return enforcer
 }
 
-func getPolicies(permission *Permission) [][]string {
+func getPolicies(permission *Permission) ([][]string, [][]string) {
 	var policies [][]string
+	var groupingPolicies [][]string
+	domainExist := len(permission.Domains) > 0
 	for _, user := range permission.Users {
 		for _, resource := range permission.Resources {
 			for _, action := range permission.Actions {
-				policies = append(policies, []string{permission.GetId(), user, resource, strings.ToLower(action)})
+				if domainExist {
+					for _, domain := range permission.Domains {
+						policies = append(policies, []string{user, domain, resource, strings.ToLower(action)})
+					}
+				} else {
+					policies = append(policies, []string{user, resource, strings.ToLower(action)})
+				}
 			}
 		}
 	}
 	for _, role := range permission.Roles {
+		roleObj := GetRole(role)
+		for _, subUser := range roleObj.Users {
+			if domainExist {
+				for _, domain := range permission.Domains {
+					groupingPolicies = append(groupingPolicies, []string{subUser, domain, role})
+				}
+			} else {
+				groupingPolicies = append(groupingPolicies, []string{subUser, role})
+			}
+		}
+		for _, subRole := range roleObj.Roles {
+			if domainExist {
+				for _, domain := range permission.Domains {
+					groupingPolicies = append(groupingPolicies, []string{subRole, domain, role})
+				}
+			} else {
+				groupingPolicies = append(groupingPolicies, []string{subRole, role})
+			}
+		}
 		for _, resource := range permission.Resources {
 			for _, action := range permission.Actions {
-				policies = append(policies, []string{permission.GetId(), role, resource, strings.ToLower(action)})
+				if domainExist {
+					for _, domain := range permission.Domains {
+						policies = append(policies, []string{role, domain, resource, strings.ToLower(action)})
+					}
+				} else {
+					policies = append(policies, []string{role, resource, strings.ToLower(action)})
 				}
 			}
 		}
-	return policies
+	}
+	return policies, groupingPolicies
 }
 
 func addPolicies(permission *Permission) {
 	enforcer := getEnforcer(permission)
-	policies := getPolicies(permission)
+	policies, groupingPolicies := getPolicies(permission)
+
+	if len(groupingPolicies) > 0 {
+		_, err := enforcer.AddGroupingPolicies(groupingPolicies)
+		if err != nil {
+			panic(err)
+		}
+	}
 
 	_, err := enforcer.AddPolicies(policies)
 	if err != nil {
@@ -93,48 +137,25 @@ func addPolicies(permission *Permission) {
 
 func removePolicies(permission *Permission) {
 	enforcer := getEnforcer(permission)
+	policies, groupingPolicies := getPolicies(permission)
 
-	_, err := enforcer.RemoveFilteredPolicy(0, permission.GetId())
+	if len(groupingPolicies) > 0 {
-	if err != nil {
-		panic(err)
-	}
-}
-
-func getGroupingPolicies(role *Role) [][]string {
-	var groupingPolicies [][]string
-	for _, subUser := range role.Users {
-		groupingPolicies = append(groupingPolicies, []string{subUser, role.GetId()})
-	}
-	for _, subRole := range role.Roles {
-		groupingPolicies = append(groupingPolicies, []string{subRole, role.GetId()})
-	}
-	return groupingPolicies
-}
-
-func addGroupingPolicies(role *Role) {
-	enforcer := getEnforcer(&Permission{})
-	groupingPolicies := getGroupingPolicies(role)
-
-	_, err := enforcer.AddGroupingPolicies(groupingPolicies)
-	if err != nil {
-		panic(err)
-	}
-}
-
-func removeGroupingPolicies(role *Role) {
-	enforcer := getEnforcer(&Permission{})
-	groupingPolicies := getGroupingPolicies(role)
-
 		_, err := enforcer.RemoveGroupingPolicies(groupingPolicies)
 		if err != nil {
 			panic(err)
 		}
 	}
 
+	_, err := enforcer.RemovePolicies(policies)
+	if err != nil {
+		panic(err)
+	}
+}
+
 func Enforce(userId string, permissionRule *PermissionRule) bool {
-	permission := GetPermission(permissionRule.V0)
+	permission := GetPermission(permissionRule.Id)
 	enforcer := getEnforcer(permission)
-	allow, err := enforcer.Enforce(userId, permissionRule.V2, permissionRule.V3)
+	allow, err := enforcer.Enforce(userId, permissionRule.V1, permissionRule.V2)
 	if err != nil {
 		panic(err)
 	}
@@ -144,9 +165,9 @@ func Enforce(userId string, permissionRule *PermissionRule) bool {
 func BatchEnforce(userId string, permissionRules []PermissionRule) []bool {
 	var requests [][]interface{}
 	for _, permissionRule := range permissionRules {
-		requests = append(requests, []interface{}{userId, permissionRule.V2, permissionRule.V3})
+		requests = append(requests, []interface{}{userId, permissionRule.V1, permissionRule.V2})
 	}
-	permission := GetPermission(permissionRules[0].V0)
+	permission := GetPermission(permissionRules[0].Id)
 	enforcer := getEnforcer(permission)
 	allow, err := enforcer.BatchEnforce(requests)
 	if err != nil {
@@ -155,30 +176,30 @@ func BatchEnforce(userId string, permissionRules []PermissionRule) []bool {
 	return allow
 }
 
-func getAllValues(userId string, sec string, fieldIndex int) []string {
+func getAllValues(userId string, fn func(enforcer *casbin.Enforcer) []string) []string {
 	permissions := GetPermissionsByUser(userId)
+	for _, role := range GetAllRoles(userId) {
+		permissions = append(permissions, GetPermissionsByRole(role)...)
+	}
+
 	var values []string
 	for _, permission := range permissions {
 		enforcer := getEnforcer(permission)
-		enforcer.ClearPolicy()
+		values = append(values, fn(enforcer)...)
-		err := enforcer.LoadFilteredPolicy(xormadapter.Filter{V0: []string{permission.GetId()}, V1: []string{userId}})
-		if err != nil {
-			return nil
-		}
-
-		for _, value := range enforcer.GetModel().GetValuesForFieldInPolicyAllTypes(sec, fieldIndex) {
-			values = append(values, value)
-		}
 	}
 	return values
 }
 
 func GetAllObjects(userId string) []string {
-	return getAllValues(userId, "p", 2)
+	return getAllValues(userId, func(enforcer *casbin.Enforcer) []string {
+		return enforcer.GetAllObjects()
+	})
 }
 
 func GetAllActions(userId string) []string {
-	return getAllValues(userId, "p", 3)
+	return getAllValues(userId, func(enforcer *casbin.Enforcer) []string {
+		return enforcer.GetAllActions()
+	})
 }
 
 func GetAllRoles(userId string) []string {

object/role.go

@@ -99,11 +99,6 @@ func UpdateRole(id string, role *Role) bool {
 		panic(err)
 	}
 
-	if affected != 0 {
-		removeGroupingPolicies(oldRole)
-		addGroupingPolicies(role)
-	}
-
 	return affected != 0
 }
 
@@ -113,10 +108,6 @@ func AddRole(role *Role) bool {
 		panic(err)
 	}
 
-	if affected != 0 {
-		addGroupingPolicies(role)
-	}
-
 	return affected != 0
 }
 
@@ -126,10 +117,6 @@ func DeleteRole(role *Role) bool {
 		panic(err)
 	}
 
-	if affected != 0 {
-		removeGroupingPolicies(role)
-	}
-
 	return affected != 0
 }
 

web/src/PermissionEditPage.js

@@ -187,6 +187,16 @@ class PermissionEditPage extends React.Component {
             </Select>
           </Col>
         </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("general:Adapter"), i18next.t("general:Adapter - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Input value={this.state.permission.adapter} onChange={e => {
+              this.updatePermissionField("adapter", e.target.value);
+            }} />
+          </Col>
+        </Row>
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
             {Setting.getLabel(i18next.t("role:Sub users"), i18next.t("role:Sub users - Tooltip"))} :
@@ -217,7 +227,7 @@ class PermissionEditPage extends React.Component {
           </Col>
           <Col span={22} >
             <Select virtual={false} mode="tags" style={{width: "100%"}} value={this.state.permission.domains} onChange={(value => {
-              this.updateRoleField("domains", value);
+              this.updatePermissionField("domains", value);
             })}>
               {
                 this.state.permission.domains.map((domain, index) => <Option key={index} value={domain}>{domain}</Option>)

web/src/locales/de/data.json

@@ -98,6 +98,8 @@
   },
   "general": {
     "Action": "Aktion",
+    "Adapter": "Adapter",
+    "Adapter - Tooltip": "Adapter - Tooltip",
     "Add": "Neu",
     "Affiliation URL": "Affiliation-URL",
     "Affiliation URL - Tooltip": "Unique string-style identifier",

web/src/locales/en/data.json

@@ -98,6 +98,8 @@
   },
   "general": {
     "Action": "Action",
+    "Adapter": "Adapter",
+    "Adapter - Tooltip": "Adapter - Tooltip",
     "Add": "Add",
     "Affiliation URL": "Affiliation URL",
     "Affiliation URL - Tooltip": "Affiliation URL - Tooltip",

web/src/locales/fr/data.json

@@ -98,6 +98,8 @@
   },
   "general": {
     "Action": "Action",
+    "Adapter": "Adapter",
+    "Adapter - Tooltip": "Adapter - Tooltip",
     "Add": "Ajouter",
     "Affiliation URL": "URL d'affiliation",
     "Affiliation URL - Tooltip": "Unique string-style identifier",

web/src/locales/ja/data.json

@@ -98,6 +98,8 @@
   },
   "general": {
     "Action": "アクション",
+    "Adapter": "Adapter",
+    "Adapter - Tooltip": "Adapter - Tooltip",
     "Add": "追加",
     "Affiliation URL": "アフィリエイトURL",
     "Affiliation URL - Tooltip": "Unique string-style identifier",

web/src/locales/ko/data.json

@@ -98,6 +98,8 @@
   },
   "general": {
     "Action": "Action",
+    "Adapter": "Adapter",
+    "Adapter - Tooltip": "Adapter - Tooltip",
     "Add": "Add",
     "Affiliation URL": "Affiliation URL",
     "Affiliation URL - Tooltip": "Unique string-style identifier",

web/src/locales/ru/data.json

@@ -98,6 +98,8 @@
   },
   "general": {
     "Action": "Действие",
+    "Adapter": "Adapter",
+    "Adapter - Tooltip": "Adapter - Tooltip",
     "Add": "Добавить",
     "Affiliation URL": "URL-адрес партнёра",
     "Affiliation URL - Tooltip": "Unique string-style identifier",

web/src/locales/zh/data.json

@@ -98,6 +98,8 @@
   },
   "general": {
     "Action": "操作",
+    "Adapter": "适配器",
+    "Adapter - Tooltip": "策略存储的表名",
     "Add": "添加",
     "Affiliation URL": "工作单位URL",
     "Affiliation URL - Tooltip": "工作单位URL",