feat: support RBAC model in permission (#1006)

Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>
2025-07-04 13:20:19 +08:00 · 2022-08-15 10:24:26 +08:00
parent ba732b3075
commit dfbf7753c3
7 changed files with 104 additions and 9 deletions
--- a/object/permission.go
+++ b/object/permission.go
@ -27,8 +27,9 @@ type Permission struct {
 	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
 	DisplayName string `xorm:"varchar(100)" json:"displayName"`

-	Users []string `xorm:"mediumtext" json:"users"`
-	Roles []string `xorm:"mediumtext" json:"roles"`
+	Users   []string `xorm:"mediumtext" json:"users"`
+	Roles   []string `xorm:"mediumtext" json:"roles"`
+	Domains []string `xorm:"mediumtext" json:"domains"`

 	Model        string   `xorm:"varchar(100)" json:"model"`
 	ResourceType string   `xorm:"varchar(100)" json:"resourceType"`
--- a/object/permission_enforcer.go
+++ b/object/permission_enforcer.go
@ -37,11 +37,14 @@ r = sub, obj, act
 [policy_definition]
 p = permission, sub, obj, act

+[role_definition]
+g = _, _
+
 [policy_effect]
 e = some(where (p.eft == allow))

 [matchers]
-m = r.sub == p.sub && r.obj == p.obj && r.act == p.act`
+m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act`
 	permissionModel := getModel(permission.Owner, permission.Model)
 	if permissionModel != nil {
 		modelText = permissionModel.ModelText
@ -56,11 +59,6 @@ m = r.sub == p.sub && r.obj == p.obj && r.act == p.act`
 		panic(err)
 	}

-	err = enforcer.LoadFilteredPolicy(xormadapter.Filter{V0: []string{permission.GetId()}})
-	if err != nil {
-		panic(err)
-	}
-
 	return enforcer
 }

@ -102,6 +100,37 @@ func removePolicies(permission *Permission) {
 	}
 }

+func getGroupingPolicies(role *Role) [][]string {
+	var groupingPolicies [][]string
+	for _, subUser := range role.Users {
+		groupingPolicies = append(groupingPolicies, []string{subUser, role.GetId()})
+	}
+	for _, subRole := range role.Roles {
+		groupingPolicies = append(groupingPolicies, []string{subRole, role.GetId()})
+	}
+	return groupingPolicies
+}
+
+func addGroupingPolicies(role *Role) {
+	enforcer := getEnforcer(&Permission{})
+	groupingPolicies := getGroupingPolicies(role)
+
+	_, err := enforcer.AddGroupingPolicies(groupingPolicies)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func removeGroupingPolicies(role *Role) {
+	enforcer := getEnforcer(&Permission{})
+	groupingPolicies := getGroupingPolicies(role)
+
+	_, err := enforcer.RemoveGroupingPolicies(groupingPolicies)
+	if err != nil {
+		panic(err)
+	}
+}
+
 func Enforce(userId string, permissionRule *PermissionRule) bool {
 	permission := GetPermission(permissionRule.V0)
 	enforcer := getEnforcer(permission)
--- a/object/role.go
+++ b/object/role.go
@ -29,6 +29,7 @@ type Role struct {

 	Users     []string `xorm:"mediumtext" json:"users"`
 	Roles     []string `xorm:"mediumtext" json:"roles"`
+	Domains   []string `xorm:"mediumtext" json:"domains"`
 	IsEnabled bool     `json:"isEnabled"`
 }

@ -88,7 +89,8 @@ func GetRole(id string) *Role {

 func UpdateRole(id string, role *Role) bool {
 	owner, name := util.GetOwnerAndNameFromId(id)
-	if getRole(owner, name) == nil {
+	oldRole := getRole(owner, name)
+	if oldRole == nil {
 		return false
 	}

@ -97,6 +99,11 @@ func UpdateRole(id string, role *Role) bool {
 		panic(err)
 	}

+	if affected != 0 {
+		removeGroupingPolicies(oldRole)
+		addGroupingPolicies(role)
+	}
+
 	return affected != 0
 }

@ -106,6 +113,10 @@ func AddRole(role *Role) bool {
 		panic(err)
 	}

+	if affected != 0 {
+		addGroupingPolicies(role)
+	}
+
 	return affected != 0
 }

@ -115,6 +126,10 @@ func DeleteRole(role *Role) bool {
 		panic(err)
 	}

+	if affected != 0 {
+		removeGroupingPolicies(role)
+	}
+
 	return affected != 0
 }