feat: support RBAC model in permission (#1006)

Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>

Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>

object/permission_enforcer.go

@@ -37,11 +37,14 @@ r = sub, obj, act
 [policy_definition]
 p = permission, sub, obj, act
 
+[role_definition]
+g = _, _
+
 [policy_effect]
 e = some(where (p.eft == allow))
 
 [matchers]
-m = r.sub == p.sub && r.obj == p.obj && r.act == p.act`
+m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act`
 	permissionModel := getModel(permission.Owner, permission.Model)
 	if permissionModel != nil {
 		modelText = permissionModel.ModelText
@@ -56,11 +59,6 @@ m = r.sub == p.sub && r.obj == p.obj && r.act == p.act`
 		panic(err)
 	}
 
-	err = enforcer.LoadFilteredPolicy(xormadapter.Filter{V0: []string{permission.GetId()}})
-	if err != nil {
-		panic(err)
-	}
-
 	return enforcer
 }
 
@@ -102,6 +100,37 @@ func removePolicies(permission *Permission) {
 	}
 }
 
+func getGroupingPolicies(role *Role) [][]string {
+	var groupingPolicies [][]string
+	for _, subUser := range role.Users {
+		groupingPolicies = append(groupingPolicies, []string{subUser, role.GetId()})
+	}
+	for _, subRole := range role.Roles {
+		groupingPolicies = append(groupingPolicies, []string{subRole, role.GetId()})
+	}
+	return groupingPolicies
+}
+
+func addGroupingPolicies(role *Role) {
+	enforcer := getEnforcer(&Permission{})
+	groupingPolicies := getGroupingPolicies(role)
+
+	_, err := enforcer.AddGroupingPolicies(groupingPolicies)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func removeGroupingPolicies(role *Role) {
+	enforcer := getEnforcer(&Permission{})
+	groupingPolicies := getGroupingPolicies(role)
+
+	_, err := enforcer.RemoveGroupingPolicies(groupingPolicies)
+	if err != nil {
+		panic(err)
+	}
+}
+
 func Enforce(userId string, permissionRule *PermissionRule) bool {
 	permission := GetPermission(permissionRule.V0)
 	enforcer := getEnforcer(permission)