apps/core
1
0
Fork 0
mirror of https://github.com/datarhei/core.git synced 2025-10-05 16:07:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

Dump casbin, replace with own policy enforcer

Browse Source
This commit is contained in:
Ingo Oppermann
2024-07-23 15:54:09 +02:00
parent 879819f10f
commit 54b1fe8e86
115 changed files with 1515 additions and 15200 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
app/api/api.go
View File

@@ -28,8 +28,8 @@ import (
httpfs "github.com/datarhei/core/v16/http/fs"
"github.com/datarhei/core/v16/http/router"
"github.com/datarhei/core/v16/iam"
iamaccess "github.com/datarhei/core/v16/iam/access"
iamidentity "github.com/datarhei/core/v16/iam/identity"
iampolicy "github.com/datarhei/core/v16/iam/policy"
"github.com/datarhei/core/v16/io/fs"
"github.com/datarhei/core/v16/log"
"github.com/datarhei/core/v16/math/rand"
@@ -669,7 +669,7 @@ func (a *api) start(ctx context.Context) error {
return err
}
policyAdapter, err := iamaccess.NewJSONAdapter(rfs, "./policy.json", nil)
policyAdapter, err := iampolicy.NewJSONAdapter(rfs, "./policy.json", nil)
if err != nil {
return err
}
@@ -694,7 +694,7 @@ func (a *api) start(ctx context.Context) error {
// Check if there are already file created by IAM. If not, create policies
// and users based on the config in order to mimic the behaviour before IAM.
if len(rfs.List("/", fs.ListOptions{Pattern: "/*.json"})) == 0 {
policies := []iamaccess.Policy{
policies := []iampolicy.Policy{
{
Name: "$anon",
Domain: "$none",
@@ -730,7 +730,7 @@ func (a *api) start(ctx context.Context) error {
},
}
policies = append(policies, iamaccess.Policy{
policies = append(policies, iampolicy.Policy{
Name: cfg.Storage.Memory.Auth.Username,
Domain: "$none",
Types: []string{"fs"},
@@ -756,7 +756,7 @@ func (a *api) start(ctx context.Context) error {
users[s.Auth.Username] = user
}
policies = append(policies, iamaccess.Policy{
policies = append(policies, iampolicy.Policy{
Name: s.Auth.Username,
Domain: "$none",
Types: []string{"fs"},
@@ -767,7 +767,7 @@ func (a *api) start(ctx context.Context) error {
}
if cfg.RTMP.Enable && len(cfg.RTMP.Token) == 0 {
policies = append(policies, iamaccess.Policy{
policies = append(policies, iampolicy.Policy{
Name: "$anon",
Domain: "$none",
Types: []string{"rtmp"},
@@ -777,7 +777,7 @@ func (a *api) start(ctx context.Context) error {
}
if cfg.SRT.Enable && len(cfg.SRT.Token) == 0 {
policies = append(policies, iamaccess.Policy{
policies = append(policies, iampolicy.Policy{
Name: "$anon",
Domain: "$none",
Types: []string{"srt"},

4
cluster/client/client.go
View File

@@ -13,8 +13,8 @@ import (
"github.com/datarhei/core/v16/config"
"github.com/datarhei/core/v16/encoding/json"
"github.com/datarhei/core/v16/ffmpeg/skills"
iamaccess "github.com/datarhei/core/v16/iam/access"
iamidentity "github.com/datarhei/core/v16/iam/identity"
iampolicy "github.com/datarhei/core/v16/iam/policy"
"github.com/datarhei/core/v16/restream/app"
)
@@ -57,7 +57,7 @@ type UpdateIdentityRequest struct {
}
type SetPoliciesRequest struct {
Policies []iamaccess.Policy `json:"policies"`
Policies []iampolicy.Policy `json:"policies"`
}
type LockRequest struct {

4
cluster/cluster.go
View File

@@ -23,8 +23,8 @@ import (
"github.com/datarhei/core/v16/encoding/json"
"github.com/datarhei/core/v16/ffmpeg/skills"
"github.com/datarhei/core/v16/iam"
iamaccess "github.com/datarhei/core/v16/iam/access"
iamidentity "github.com/datarhei/core/v16/iam/identity"
iampolicy "github.com/datarhei/core/v16/iam/policy"
"github.com/datarhei/core/v16/log"
"github.com/datarhei/core/v16/net"
"github.com/datarhei/core/v16/resources"
@@ -70,7 +70,7 @@ type Cluster interface {
IAMIdentityAdd(origin string, identity iamidentity.User) error
IAMIdentityUpdate(origin, name string, identity iamidentity.User) error
IAMIdentityRemove(origin string, name string) error
IAMPoliciesSet(origin, name string, policies []iamaccess.Policy) error
IAMPoliciesSet(origin, name string, policies []iampolicy.Policy) error
LockCreate(origin string, name string, validUntil time.Time) (*kvs.Lock, error)
LockDelete(origin string, name string) error

4
cluster/forwarder/iam.go
View File

@@ -2,8 +2,8 @@ package forwarder
import (
apiclient "github.com/datarhei/core/v16/cluster/client"
iamaccess "github.com/datarhei/core/v16/iam/access"
iamidentity "github.com/datarhei/core/v16/iam/identity"
iampolicy "github.com/datarhei/core/v16/iam/policy"
)
func (f *Forwarder) IAMIdentityAdd(origin string, identity iamidentity.User) error {
@@ -38,7 +38,7 @@ func (f *Forwarder) IAMIdentityUpdate(origin, name string, identity iamidentity.
return reconstructError(client.IAMIdentityUpdate(origin, name, r))
}
func (f *Forwarder) IAMPoliciesSet(origin, name string, policies []iamaccess.Policy) error {
func (f *Forwarder) IAMPoliciesSet(origin, name string, policies []iampolicy.Policy) error {
if origin == "" {
origin = f.ID
}

8
cluster/iam.go
View File

@@ -8,8 +8,8 @@ import (
clusteriamadapter "github.com/datarhei/core/v16/cluster/iam/adapter"
"github.com/datarhei/core/v16/cluster/store"
"github.com/datarhei/core/v16/iam"
iamaccess "github.com/datarhei/core/v16/iam/access"
iamidentity "github.com/datarhei/core/v16/iam/identity"
iampolicy "github.com/datarhei/core/v16/iam/policy"
)
func (c *cluster) IAM(superuser iamidentity.User, jwtRealm, jwtSecret string) (iam.IAM, error) {
@@ -54,13 +54,13 @@ func (c *cluster) ListIdentity(name string) (time.Time, iamidentity.User, error)
return user.UpdatedAt, user.Users[0], nil
}
func (c *cluster) ListPolicies() (time.Time, []iamaccess.Policy) {
func (c *cluster) ListPolicies() (time.Time, []iampolicy.Policy) {
policies := c.store.IAMPolicyList()
return policies.UpdatedAt, policies.Policies
}
func (c *cluster) ListUserPolicies(name string) (time.Time, []iamaccess.Policy) {
func (c *cluster) ListUserPolicies(name string) (time.Time, []iampolicy.Policy) {
policies := c.store.IAMIdentityPolicyList(name)
return policies.UpdatedAt, policies.Policies
@@ -101,7 +101,7 @@ func (c *cluster) IAMIdentityUpdate(origin, name string, identity iamidentity.Us
return c.applyCommand(cmd)
}
func (c *cluster) IAMPoliciesSet(origin, name string, policies []iamaccess.Policy) error {
func (c *cluster) IAMPoliciesSet(origin, name string, policies []iampolicy.Policy) error {
if !c.IsRaftLeader() {
return c.forwarder.IAMPoliciesSet(origin, name, policies)
}

43
cluster/iam/adapter/policy.go
View File

@@ -4,9 +4,7 @@ import (
"sync"
"github.com/datarhei/core/v16/cluster/store"
iamaccess "github.com/datarhei/core/v16/iam/access"
"github.com/casbin/casbin/v2/model"
"github.com/datarhei/core/v16/iam/policy"
)
type policyAdapter struct {
@@ -15,7 +13,7 @@ type policyAdapter struct {
lock sync.RWMutex
}
func NewPolicyAdapter(store store.Store) (iamaccess.Adapter, error) {
func NewPolicyAdapter(store store.Store) (policy.Adapter, error) {
a := &policyAdapter{
store: store,
domains: map[string]struct{}{},
@@ -24,13 +22,13 @@ func NewPolicyAdapter(store store.Store) (iamaccess.Adapter, error) {
return a, nil
}
func (a *policyAdapter) LoadPolicy(model model.Model) error {
policies := a.store.IAMPolicyList()
func (a *policyAdapter) LoadPolicy(model policy.Model) error {
storePolicies := a.store.IAMPolicyList()
rules := [][]string{}
policies := []policy.Policy{}
domains := map[string]struct{}{}
for _, p := range policies.Policies {
for _, p := range storePolicies.Policies {
if len(p.Domain) == 0 {
p.Domain = "$none"
}
@@ -39,19 +37,20 @@ func (a *policyAdapter) LoadPolicy(model model.Model) error {
p.Types = []string{"$none"}
}
rule := []string{
p.Name,
p.Domain,
iamaccess.EncodeResource(p.Types, p.Resource),
iamaccess.EncodeActions(p.Actions),
policy := policy.Policy{
Name: p.Name,
Domain: p.Domain,
Types: p.Types,
Resource: p.Resource,
Actions: p.Actions,
}
domains[p.Domain] = struct{}{}
rules = append(rules, rule)
policies = append(policies, policy)
}
model.AddPolicies("p", "p", rules)
model.AddPolicies(policies)
a.lock.Lock()
a.domains = domains
@@ -60,27 +59,23 @@ func (a *policyAdapter) LoadPolicy(model model.Model) error {
return nil
}
func (a *policyAdapter) SavePolicy(model model.Model) error {
func (a *policyAdapter) SavePolicy(_ policy.Model) error {
return nil
}
func (a *policyAdapter) AddPolicy(sec, ptype string, rule []string) error {
func (a *policyAdapter) AddPolicy(_ policy.Policy) error {
return nil
}
func (a *policyAdapter) AddPolicies(sec string, ptype string, rules [][]string) error {
func (a *policyAdapter) AddPolicies(_ []policy.Policy) error {
return nil
}
func (a *policyAdapter) RemovePolicy(sec string, ptype string, rule []string) error {
func (a *policyAdapter) RemovePolicy(_ policy.Policy) error {
return nil
}
func (a *policyAdapter) RemovePolicies(sec string, ptype string, rules [][]string) error {
return nil
}
func (a *policyAdapter) RemoveFilteredPolicy(sec string, ptype string, fieldIndex int, fieldValues ...string) error {
func (a *policyAdapter) RemovePolicies(_ []policy.Policy) error {
return nil
}

4
cluster/iam/iam.go
View File

@@ -5,8 +5,8 @@ import (
"github.com/datarhei/core/v16/cluster/store"
"github.com/datarhei/core/v16/iam"
"github.com/datarhei/core/v16/iam/access"
"github.com/datarhei/core/v16/iam/identity"
"github.com/datarhei/core/v16/iam/policy"
"github.com/datarhei/core/v16/log"
)
@@ -84,7 +84,7 @@ func (m *manager) RemovePolicy(name, domain string, types []string, resource str
return ErrClusterMode
}
func (m *manager) ListPolicies(name, domain string, types []string, resource string, actions []string) []access.Policy {
func (m *manager) ListPolicies(name, domain string, types []string, resource string, actions []string) []policy.Policy {
return m.iam.ListPolicies(name, domain, types, resource, actions)
}

4
cluster/store/identity_test.go
View File

@@ -4,8 +4,8 @@ import (
"testing"
"time"
"github.com/datarhei/core/v16/iam/access"
"github.com/datarhei/core/v16/iam/identity"
"github.com/datarhei/core/v16/iam/policy"
"github.com/stretchr/testify/require"
)
@@ -394,7 +394,7 @@ func TestUpdateIdentityWithPolicies(t *testing.T) {
Name: "foobar",
}
policies := []access.Policy{
policies := []policy.Policy{
{
Name: "bla",
Domain: "bla",

6
cluster/store/policy.go
View File

@@ -4,7 +4,7 @@ import (
"fmt"
"time"
"github.com/datarhei/core/v16/iam/access"
"github.com/datarhei/core/v16/iam/policy"
)
func (s *store) setPolicies(cmd CommandSetPolicies) error {
@@ -80,9 +80,9 @@ func (s *store) IAMIdentityPolicyList(name string) Policies {
}
// updatePolicy updates a policy such that the resource type is split off the resource
func (s *store) updatePolicy(p access.Policy) access.Policy {
func (s *store) updatePolicy(p policy.Policy) policy.Policy {
if len(p.Types) == 0 {
p.Types, p.Resource = access.DecodeResource(p.Resource)
p.Types, p.Resource = policy.DecodeResource(p.Resource)
}
return p

6
cluster/store/policy_test.go
View File

@@ -3,8 +3,8 @@ package store
import (
"testing"
"github.com/datarhei/core/v16/iam/access"
"github.com/datarhei/core/v16/iam/identity"
"github.com/datarhei/core/v16/iam/policy"
"github.com/stretchr/testify/require"
)
@@ -30,7 +30,7 @@ func TestSetPoliciesCommand(t *testing.T) {
Operation: OpSetPolicies,
Data: CommandSetPolicies{
Name: "foobar",
Policies: []access.Policy{
Policies: []policy.Policy{
{
Name: "bla",
Domain: "bla",
@@ -59,7 +59,7 @@ func TestSetPolicies(t *testing.T) {
Name: "foobar",
}
policies := []access.Policy{
policies := []policy.Policy{
{
Name: "bla",
Domain: "bla",

10
cluster/store/store.go
View File

@@ -7,8 +7,8 @@ import (
"time"
"github.com/datarhei/core/v16/encoding/json"
"github.com/datarhei/core/v16/iam/access"
"github.com/datarhei/core/v16/iam/identity"
"github.com/datarhei/core/v16/iam/policy"
"github.com/datarhei/core/v16/log"
"github.com/datarhei/core/v16/restream/app"
@@ -56,7 +56,7 @@ type Users struct {
type Policies struct {
UpdatedAt time.Time
Policies []access.Policy
Policies []policy.Policy
}
type Value struct {
@@ -154,7 +154,7 @@ type CommandRemoveIdentity struct {
type CommandSetPolicies struct {
Name string
Policies []access.Policy
Policies []policy.Policy
}
type CommandCreateLock struct {
@@ -196,7 +196,7 @@ type storeData struct {
Policies struct {
UpdatedAt time.Time
Policies map[string][]access.Policy
Policies map[string][]policy.Policy
}
Locks map[string]time.Time
@@ -217,7 +217,7 @@ func (s *storeData) init() {
s.Users.Users = map[string]identity.User{}
s.Users.userlist = identity.NewUserList()
s.Policies.UpdatedAt = now
s.Policies.Policies = map[string][]access.Policy{}
s.Policies.Policies = map[string][]policy.Policy{}
s.Locks = map[string]time.Time{}
s.KVS = map[string]Value{}
s.Nodes = map[string]Node{}

4
go.mod
View File

@@ -1,6 +1,6 @@
module github.com/datarhei/core/v16
go 1.21.0
go 1.22.0
toolchain go1.22.1
@@ -11,7 +11,6 @@ require (
github.com/andybalholm/brotli v1.1.0
github.com/atrox/haikunatorgo/v2 v2.0.1
github.com/caddyserver/certmagic v0.21.3
github.com/casbin/casbin/v2 v2.97.0
github.com/datarhei/gosrt v0.6.0
github.com/datarhei/joy4 v0.0.0-20240603190808-b1407345907e
github.com/fujiwara/shapeio v1.0.0
@@ -60,7 +59,6 @@ require (
github.com/beorn7/perks v1.0.1 // indirect
github.com/boltdb/bolt v1.3.1 // indirect
github.com/caddyserver/zerossl v0.1.3 // indirect
github.com/casbin/govaluate v1.2.0 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect

10
go.sum
View File

@@ -39,11 +39,6 @@ github.com/caddyserver/certmagic v0.21.3 h1:pqRRry3yuB4CWBVq9+cUqu+Y6E2z8TswbhNx
github.com/caddyserver/certmagic v0.21.3/go.mod h1:Zq6pklO9nVRl3DIFUw9gVUfXKdpc/0qwTUAQMBlfgtI=
github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+YTAyA=
github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
github.com/casbin/casbin/v2 v2.97.0 h1:FFHIzY+6fLIcoAB/DKcG5xvscUo9XqRpBniRYhlPWkg=
github.com/casbin/casbin/v2 v2.97.0/go.mod h1:jX8uoN4veP85O/n2674r2qtfSXI6myvxW85f6TH50fw=
github.com/casbin/govaluate v1.1.0/go.mod h1:G/UnbIjZk/0uMNaLwZZmFQrR72tYRZWQkO70si/iR7A=
github.com/casbin/govaluate v1.2.0 h1:wXCXFmqyY+1RwiKfYo3jMKyrtZmOL3kHwaqDyCPOYak=
github.com/casbin/govaluate v1.2.0/go.mod h1:G/UnbIjZk/0uMNaLwZZmFQrR72tYRZWQkO70si/iR7A=
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -109,8 +104,6 @@ github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOW
github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
github.com/golang/mock v1.4.4 h1:l75CXGRSwbaYNpl/Z2X1XIIAMSCquvXgpVZDhwEIJsc=
github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -338,13 +331,11 @@ golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/
golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
@@ -372,7 +363,6 @@ golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg=
golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

10
http/api/iam.go
View File

@@ -3,8 +3,8 @@ package api
import (
"time"
"github.com/datarhei/core/v16/iam/access"
"github.com/datarhei/core/v16/iam/identity"
"github.com/datarhei/core/v16/iam/policy"
)
type IAMUser struct {
@@ -17,7 +17,7 @@ type IAMUser struct {
Policies []IAMPolicy `json:"policies"`
}
func (u *IAMUser) Marshal(user identity.User, policies []access.Policy) {
func (u *IAMUser) Marshal(user identity.User, policies []policy.Policy) {
u.CreatedAt = user.CreatedAt.Unix()
u.UpdatedAt = user.UpdatedAt.Unix()
u.Name = user.Name
@@ -52,7 +52,7 @@ func (u *IAMUser) Marshal(user identity.User, policies []access.Policy) {
}
}
func (u *IAMUser) Unmarshal() (identity.User, []access.Policy) {
func (u *IAMUser) Unmarshal() (identity.User, []policy.Policy) {
iamuser := identity.User{
CreatedAt: time.Unix(u.CreatedAt, 0),
UpdatedAt: time.Unix(u.UpdatedAt, 0),
@@ -79,10 +79,10 @@ func (u *IAMUser) Unmarshal() (identity.User, []access.Policy) {
},
}
iampolicies := []access.Policy{}
iampolicies := []policy.Policy{}
for _, p := range u.Policies {
iampolicies = append(iampolicies, access.Policy{
iampolicies = append(iampolicies, policy.Policy{
Name: u.Name,
Domain: p.Domain,
Types: p.Types,

6
http/handler/api/cluster_iam.go
View File

@@ -7,8 +7,8 @@ import (
"github.com/datarhei/core/v16/cluster/store"
"github.com/datarhei/core/v16/http/api"
"github.com/datarhei/core/v16/http/handler/util"
"github.com/datarhei/core/v16/iam/access"
"github.com/datarhei/core/v16/iam/identity"
"github.com/datarhei/core/v16/iam/policy"
"github.com/labstack/echo/v4"
)
@@ -198,14 +198,14 @@ func (h *ClusterHandler) IAMIdentityUpdatePolicies(c echo.Context) error {
}
}
accessPolicies := []access.Policy{}
accessPolicies := []policy.Policy{}
for _, p := range policies {
if !h.iam.Enforce(ctxuser, p.Domain, "iam", iamuser.Name, "write") {
return api.Err(http.StatusForbidden, "", "not allowed to write policy: %v", p)
}
accessPolicies = append(accessPolicies, access.Policy{
accessPolicies = append(accessPolicies, policy.Policy{
Name: name,
Domain: p.Domain,
Types: p.Types,

4
http/handler/api/process_test.go
View File

@@ -12,8 +12,8 @@ import (
"github.com/datarhei/core/v16/http/api"
"github.com/datarhei/core/v16/http/mock"
"github.com/datarhei/core/v16/iam"
"github.com/datarhei/core/v16/iam/access"
"github.com/datarhei/core/v16/iam/identity"
"github.com/datarhei/core/v16/iam/policy"
"github.com/datarhei/core/v16/io/fs"
"github.com/labstack/echo/v4"
@@ -37,7 +37,7 @@ func getDummyRestreamHandler() (*ProcessHandler, error) {
return nil, fmt.Errorf("failed to create memory filesystem: %w", err)
}
policyAdapter, err := access.NewJSONAdapter(memfs, "./policy.json", nil)
policyAdapter, err := policy.NewJSONAdapter(memfs, "./policy.json", nil)
if err != nil {
return nil, err
}

4
http/middleware/iam/iam_test.go
View File

@@ -14,8 +14,8 @@ import (
apihandler "github.com/datarhei/core/v16/http/handler/api"
"github.com/datarhei/core/v16/http/validator"
"github.com/datarhei/core/v16/iam"
iamaccess "github.com/datarhei/core/v16/iam/access"
iamidentity "github.com/datarhei/core/v16/iam/identity"
"github.com/datarhei/core/v16/iam/policy"
"github.com/datarhei/core/v16/io/fs"
"github.com/labstack/echo/v4"
@@ -30,7 +30,7 @@ func getIAM() (iam.IAM, error) {
return nil, err
}
policyAdapter, err := iamaccess.NewJSONAdapter(dummyfs, "./policy.json", nil)
policyAdapter, err := policy.NewJSONAdapter(dummyfs, "./policy.json", nil)
if err != nil {
return nil, err
}

182
iam/access/access.go
View File

@@ -1,182 +0,0 @@
package access
import (
"sort"
"strings"
"github.com/datarhei/core/v16/log"
"github.com/casbin/casbin/v2"
"github.com/casbin/casbin/v2/model"
)
type Policy struct {
Name string
Domain string
Types []string
Resource string
Actions []string
}
type Enforcer interface {
Enforce(name, domain, rtype, resource, action string) (bool, string)
HasDomain(name string) bool
ListDomains() []string
}
type Manager interface {
Enforcer
HasPolicy(name, domain string, types []string, resource string, actions []string) bool
AddPolicy(name, domain string, types []string, resource string, actions []string) error
RemovePolicy(name, domain string, types []string, resource string, actions []string) error
ListPolicies(name, domain string, types []string, resource string, actions []string) []Policy
ReloadPolicies() error
}
type access struct {
logger log.Logger
adapter Adapter
model model.Model
enforcer *casbin.SyncedEnforcer
}
type Config struct {
Adapter Adapter
Logger log.Logger
}
func New(config Config) (Manager, error) {
am := &access{
adapter: config.Adapter,
logger: config.Logger,
}
if am.logger == nil {
am.logger = log.New("")
}
m := model.NewModel()
m.AddDef("r", "r", "sub, dom, obj, act")
m.AddDef("p", "p", "sub, dom, obj, act")
m.AddDef("g", "g", "_, _, _")
m.AddDef("e", "e", "some(where (p.eft == allow))")
m.AddDef("m", "m", `g(r.sub, p.sub, r.dom) && r.dom == p.dom && ResourceMatch(r.obj, p.obj) && ActionMatch(r.act, p.act) || r.sub == "$superuser"`)
e, err := casbin.NewSyncedEnforcer(m, am.adapter)
if err != nil {
return nil, err
}
e.AddFunction("ResourceMatch", resourceMatchFunc)
e.AddFunction("ActionMatch", actionMatchFunc)
am.enforcer = e
am.model = m
return am, nil
}
func (am *access) HasPolicy(name, domain string, types []string, resource string, actions []string) bool {
policy := []string{name, domain, EncodeResource(types, resource), EncodeActions(actions)}
hasPolicy, _ := am.enforcer.HasPolicy(policy)
return hasPolicy
}
func (am *access) AddPolicy(name, domain string, types []string, resource string, actions []string) error {
policy := []string{name, domain, EncodeResource(types, resource), EncodeActions(actions)}
if hasPolicy, _ := am.enforcer.HasPolicy(policy); hasPolicy {
return nil
}
_, err := am.enforcer.AddPolicy(policy)
return err
}
func (am *access) RemovePolicy(name, domain string, types []string, resource string, actions []string) error {
policies, err := am.enforcer.GetFilteredPolicy(0, name, domain, EncodeResource(types, resource), EncodeActions(actions))
if err != nil {
return err
}
_, err = am.enforcer.RemovePolicies(policies)
return err
}
func (am *access) ListPolicies(name, domain string, types []string, resource string, actions []string) []Policy {
policies := []Policy{}
ps, err := am.enforcer.GetFilteredPolicy(0, name, domain, EncodeResource(types, resource), EncodeActions(actions))
if err != nil {
return policies
}
for _, p := range ps {
types, resource := DecodeResource(p[2])
policies = append(policies, Policy{
Name: p[0],
Domain: p[1],
Types: types,
Resource: resource,
Actions: DecodeActions(p[3]),
})
}
return policies
}
func (am *access) ReloadPolicies() error {
am.enforcer.ClearPolicy()
return am.enforcer.LoadPolicy()
}
func (am *access) HasDomain(name string) bool {
return am.adapter.HasDomain(name)
}
func (am *access) ListDomains() []string {
return am.adapter.AllDomains()
}
func (am *access) Enforce(name, domain, rtype, resource, action string) (bool, string) {
resource = rtype + ":" + resource
ok, rule, _ := am.enforcer.EnforceEx(name, domain, resource, action)
return ok, strings.Join(rule, ", ")
}
func EncodeActions(actions []string) string {
return strings.Join(actions, "|")
}
func DecodeActions(actions string) []string {
return strings.Split(actions, "|")
}
func EncodeResource(types []string, resource string) string {
if len(types) == 0 {
return resource
}
sort.Strings(types)
return strings.Join(types, "|") + ":" + resource
}
func DecodeResource(resource string) ([]string, string) {
before, after, found := strings.Cut(resource, ":")
if !found {
return []string{"$none"}, resource
}
return strings.Split(before, "|"), after
}

588
iam/access/adapter.go
View File

@@ -1,588 +0,0 @@
package access
import (
"errors"
"fmt"
"sort"
"strings"
"sync"
"github.com/datarhei/core/v16/encoding/json"
"github.com/datarhei/core/v16/io/fs"
"github.com/datarhei/core/v16/log"
"github.com/casbin/casbin/v2/model"
"github.com/casbin/casbin/v2/persist"
)
// Adapter is the file adapter for Casbin.
// It can load policy from file or save policy to file.
type adapter struct {
fs fs.Filesystem
filePath string
logger log.Logger
domains []Domain
lock sync.Mutex
}
type Adapter interface {
persist.BatchAdapter
AllDomains() []string
HasDomain(string) bool
}
func NewJSONAdapter(fs fs.Filesystem, filePath string, logger log.Logger) (Adapter, error) {
a := &adapter{
fs: fs,
filePath: filePath,
logger: logger,
}
if a.fs == nil {
return nil, fmt.Errorf("a filesystem has to be provided")
}
if len(a.filePath) == 0 {
return nil, fmt.Errorf("invalid file path, file path cannot be empty")
}
if a.logger == nil {
a.logger = log.New("")
}
return a, nil
}
// Adapter
func (a *adapter) LoadPolicy(model model.Model) error {
a.lock.Lock()
defer a.lock.Unlock()
return a.loadPolicyFile(model)
}
func (a *adapter) loadPolicyFile(model model.Model) error {
if _, err := a.fs.Stat(a.filePath); err != nil {
if errors.Is(err, fs.ErrNotExist) {
a.domains = []Domain{}
return nil
}
return err
}
data, err := a.fs.ReadFile(a.filePath)
if err != nil {
return err
}
domains := []Domain{}
err = json.Unmarshal(data, &domains)
if err != nil {
return err
}
rule := [5]string{}
for _, domain := range domains {
rule[0] = "p"
rule[2] = domain.Name
for name, roles := range domain.Roles {
rule[1] = "role:" + name
for _, role := range roles {
rule[3] = role.Resource
rule[4] = formatList(role.Actions)
if err := a.importPolicy(model, rule[0:5]); err != nil {
return err
}
}
}
for _, policy := range domain.Policies {
rule[1] = policy.Username
rule[3] = policy.Resource
rule[4] = formatList(policy.Actions)
if err := a.importPolicy(model, rule[0:5]); err != nil {
return err
}
}
rule[0] = "g"
rule[3] = domain.Name
for _, ug := range domain.UserRoles {
rule[1] = ug.Username
rule[2] = "role:" + ug.Role
if err := a.importPolicy(model, rule[0:4]); err != nil {
return err
}
}
}
a.domains = domains
return nil
}
func (a *adapter) importPolicy(model model.Model, rule []string) error {
copiedRule := make([]string, len(rule))
copy(copiedRule, rule)
a.logger.Debug().WithFields(log.Fields{
"subject": copiedRule[1],
"domain": copiedRule[2],
"resource": copiedRule[3],
"actions": copiedRule[4],
}).Log("Imported policy")
ok, err := model.HasPolicyEx(copiedRule[0], copiedRule[0], copiedRule[1:])
if err != nil {
return err
}
if ok {
return nil // skip duplicated policy
}
model.AddPolicy(copiedRule[0], copiedRule[0], copiedRule[1:])
return nil
}
// Adapter
func (a *adapter) SavePolicy(model model.Model) error {
a.lock.Lock()
defer a.lock.Unlock()
return a.savePolicyFile()
}
func (a *adapter) savePolicyFile() error {
jsondata, err := json.MarshalIndent(a.domains, "", " ")
if err != nil {
return err
}
_, _, err = a.fs.WriteFileSafe(a.filePath, jsondata)
return err
}
// Adapter (auto-save)
func (a *adapter) AddPolicy(sec, ptype string, rule []string) error {
a.lock.Lock()
defer a.lock.Unlock()
err := a.addPolicy(ptype, rule)
if err != nil {
return err
}
return a.savePolicyFile()
}
// BatchAdapter (auto-save)
func (a *adapter) AddPolicies(sec string, ptype string, rules [][]string) error {
a.lock.Lock()
defer a.lock.Unlock()
for _, rule := range rules {
err := a.addPolicy(ptype, rule)
if err != nil {
return err
}
}
return a.savePolicyFile()
}
func (a *adapter) addPolicy(ptype string, rule []string) error {
ok, err := a.hasPolicy(ptype, rule)
if err != nil {
return err
}
if ok {
// the policy is already there, nothing to add
return nil
}
username := ""
role := ""
domain := ""
resource := ""
actions := ""
if ptype == "p" {
username = rule[0]
domain = rule[1]
resource = rule[2]
actions = formatList(rule[3])
a.logger.Debug().WithFields(log.Fields{
"subject": username,
"domain": domain,
"resource": resource,
"actions": actions,
}).Log("Adding policy")
} else if ptype == "g" {
username = rule[0]
role = rule[1]
domain = rule[2]
a.logger.Debug().WithFields(log.Fields{
"subject": username,
"role": role,
"domain": domain,
}).Log("Adding role mapping")
} else {
return fmt.Errorf("unknown ptype: %s", ptype)
}
var dom *Domain = nil
for i := range a.domains {
if a.domains[i].Name == domain {
dom = &a.domains[i]
break
}
}
if dom == nil {
g := Domain{
Name: domain,
Roles: map[string][]Role{},
UserRoles: []MapUserRole{},
Policies: []DomainPolicy{},
}
a.domains = append(a.domains, g)
dom = &a.domains[len(a.domains)-1]
}
if ptype == "p" {
if strings.HasPrefix(username, "role:") {
if dom.Roles == nil {
dom.Roles = make(map[string][]Role)
}
role := strings.TrimPrefix(username, "role:")
dom.Roles[role] = append(dom.Roles[role], Role{
Resource: resource,
Actions: actions,
})
} else {
dom.Policies = append(dom.Policies, DomainPolicy{
Username: username,
Role: Role{
Resource: resource,
Actions: actions,
},
})
}
} else {
dom.UserRoles = append(dom.UserRoles, MapUserRole{
Username: username,
Role: strings.TrimPrefix(role, "role:"),
})
}
return nil
}
func (a *adapter) hasPolicy(ptype string, rule []string) (bool, error) {
var username string
var role string
var domain string
var resource string
var actions string
if ptype == "p" {
if len(rule) < 4 {
return false, fmt.Errorf("invalid rule length. must be 'user/role, domain, resource, actions'")
}
username = rule[0]
domain = rule[1]
resource = rule[2]
actions = formatList(rule[3])
} else if ptype == "g" {
if len(rule) < 3 {
return false, fmt.Errorf("invalid rule length. must be 'user, role, domain'")
}
username = rule[0]
role = rule[1]
domain = rule[2]
} else {
return false, fmt.Errorf("unknown ptype: %s", ptype)
}
var dom *Domain = nil
for i := range a.domains {
if a.domains[i].Name == domain {
dom = &a.domains[i]
break
}
}
if dom == nil {
// if we can't find any domain with that name, then the policy doesn't exist
return false, nil
}
if ptype == "p" {
isRole := false
if strings.HasPrefix(username, "role:") {
isRole = true
username = strings.TrimPrefix(username, "role:")
}
if isRole {
roles, ok := dom.Roles[username]
if !ok {
// unknown role, policy doesn't exist
return false, nil
}
for _, role := range roles {
if role.Resource == resource && formatList(role.Actions) == actions {
return true, nil
}
}
} else {
for _, p := range dom.Policies {
if p.Username == username && p.Resource == resource && formatList(p.Actions) == actions {
return true, nil
}
}
}
} else {
role = strings.TrimPrefix(role, "role:")
for _, user := range dom.UserRoles {
if user.Username == username && user.Role == role {
return true, nil
}
}
}
return false, nil
}
// Adapter (auto-save)
func (a *adapter) RemovePolicy(sec string, ptype string, rule []string) error {
a.lock.Lock()
defer a.lock.Unlock()
err := a.removePolicy(ptype, rule)
if err != nil {
return err
}
return a.savePolicyFile()
}
// BatchAdapter (auto-save)
func (a *adapter) RemovePolicies(sec string, ptype string, rules [][]string) error {
a.lock.Lock()
defer a.lock.Unlock()
for _, rule := range rules {
err := a.removePolicy(ptype, rule)
if err != nil {
return err
}
}
return a.savePolicyFile()
}
func (a *adapter) removePolicy(ptype string, rule []string) error {
ok, err := a.hasPolicy(ptype, rule)
if err != nil {
return err
}
if !ok {
// the policy is not there, nothing to remove
return nil
}
username := ""
role := ""
domain := ""
resource := ""
actions := ""
if ptype == "p" {
username = rule[0]
domain = rule[1]
resource = rule[2]
actions = formatList(rule[3])
a.logger.Debug().WithFields(log.Fields{
"subject": username,
"domain": domain,
"resource": resource,
"actions": actions,
}).Log("Removing policy")
} else if ptype == "g" {
username = rule[0]
role = rule[1]
domain = rule[2]
a.logger.Debug().WithFields(log.Fields{
"subject": username,
"role": role,
"domain": domain,
}).Log("Removing role mapping")
} else {
return fmt.Errorf("unknown ptype: %s", ptype)
}
var dom *Domain = nil
for i := range a.domains {
if a.domains[i].Name == domain {
dom = &a.domains[i]
break
}
}
if ptype == "p" {
isRole := false
if strings.HasPrefix(username, "role:") {
isRole = true
username = strings.TrimPrefix(username, "role:")
}
if isRole {
roles := dom.Roles[username]
newRoles := []Role{}
for _, role := range roles {
if role.Resource == resource && formatList(role.Actions) == actions {
continue
}
newRoles = append(newRoles, role)
}
dom.Roles[username] = newRoles
} else {
policies := []DomainPolicy{}
for _, p := range dom.Policies {
if p.Username == username && p.Resource == resource && formatList(p.Actions) == actions {
continue
}
policies = append(policies, p)
}
dom.Policies = policies
}
} else {
role = strings.TrimPrefix(role, "role:")
users := []MapUserRole{}
for _, user := range dom.UserRoles {
if user.Username == username && user.Role == role {
continue
}
users = append(users, user)
}
dom.UserRoles = users
}
// Remove the group if there are no rules and policies
if len(dom.Roles) == 0 && len(dom.UserRoles) == 0 && len(dom.Policies) == 0 {
groups := []Domain{}
for _, g := range a.domains {
if g.Name == dom.Name {
continue
}
groups = append(groups, g)
}
a.domains = groups
}
return nil
}
// Adapter
func (a *adapter) RemoveFilteredPolicy(sec string, ptype string, fieldIndex int, fieldValues ...string) error {
return fmt.Errorf("not implemented")
}
func (a *adapter) AllDomains() []string {
a.lock.Lock()
defer a.lock.Unlock()
names := []string{}
for _, domain := range a.domains {
if domain.Name[0] == '$' {
continue
}
names = append(names, domain.Name)
}
return names
}
func (a *adapter) HasDomain(name string) bool {
a.lock.Lock()
defer a.lock.Unlock()
for _, domain := range a.domains {
if domain.Name[0] == '$' {
continue
}
if domain.Name == name {
return true
}
}
return false
}
type Domain struct {
Name string `json:"name"`
Roles map[string][]Role `json:"roles"`
UserRoles []MapUserRole `json:"userroles"`
Policies []DomainPolicy `json:"policies"`
}
type Role struct {
Resource string `json:"resource"`
Actions string `json:"actions"`
}
type MapUserRole struct {
Username string `json:"username"`
Role string `json:"role"`
}
type DomainPolicy struct {
Username string `json:"username"`
Role
}
func formatList(list string) string {
a := strings.Split(list, "|")
sort.Strings(a)
return strings.Join(a, "|")
}

116
iam/access/functions.go
View File

@@ -1,116 +0,0 @@
package access
import (
"strings"
"sync"
"github.com/datarhei/core/v16/glob"
)
var globcache = map[string]glob.Glob{}
var globcacheMu = sync.RWMutex{}
func resourceMatch(request, policy string) bool {
reqPrefix, reqResource := getPrefix(request)
polPrefix, polResource := getPrefix(policy)
var match bool = false
var err error = nil
reqType := strings.ToLower(reqPrefix)
polTypes := strings.Split(strings.ToLower(polPrefix), "|")
for _, polType := range polTypes {
if reqType != polType {
continue
}
match = true
break
}
if !match {
return false
}
match = false
key := reqType + polResource
if reqType == "api" || reqType == "fs" || reqType == "rtmp" || reqType == "srt" {
globcacheMu.RLock()
matcher, ok := globcache[key]
globcacheMu.RUnlock()
if !ok {
matcher, err = glob.Compile(polResource, rune('/'))
if err != nil {
return false
}
globcacheMu.Lock()
globcache[key] = matcher
globcacheMu.Unlock()
}
match = matcher.Match(reqResource)
} else {
globcacheMu.RLock()
matcher, ok := globcache[key]
globcacheMu.RUnlock()
if !ok {
matcher, err = glob.Compile(polResource)
if err != nil {
return false
}
globcacheMu.Lock()
globcache[key] = matcher
globcacheMu.Unlock()
}
match = matcher.Match(reqResource)
}
return match
}
func resourceMatchFunc(args ...interface{}) (interface{}, error) {
request := args[0].(string)
policy := args[1].(string)
return (bool)(resourceMatch(request, policy)), nil
}
func actionMatch(request string, policy string) bool {
request = strings.ToUpper(request)
actions := strings.Split(strings.ToUpper(policy), "|")
if len(actions) == 0 {
return false
}
if len(actions) == 1 && actions[0] == "ANY" {
return true
}
for _, a := range actions {
if request == a {
return true
}
}
return false
}
func actionMatchFunc(args ...interface{}) (interface{}, error) {
request := args[0].(string)
policy := args[1].(string)
return (bool)(actionMatch(request, policy)), nil
}
func getPrefix(s string) (string, string) {
prefix, resource, found := strings.Cut(s, ":")
if !found {
return "", s
}
return prefix, resource
}

29
iam/iam.go
View File

@@ -1,8 +1,8 @@
package iam
import (
"github.com/datarhei/core/v16/iam/access"
"github.com/datarhei/core/v16/iam/identity"
"github.com/datarhei/core/v16/iam/policy"
"github.com/datarhei/core/v16/log"
)
@@ -19,7 +19,7 @@ type IAM interface {
HasPolicy(name, domain string, types []string, resource string, actions []string) bool
AddPolicy(name, domain string, types []string, resource string, actions []string) error
RemovePolicy(name, domain string, types []string, resource string, actions []string) error
ListPolicies(name, domain string, types []string, resource string, actions []string) []access.Policy
ListPolicies(name, domain string, types []string, resource string, actions []string) []policy.Policy
ReloadPolicies() error
Validators() []string
@@ -42,13 +42,13 @@ type IAM interface {
type iam struct {
im identity.Manager
am access.Manager
am policy.Manager
logger log.Logger
}
type Config struct {
PolicyAdapter access.Adapter
PolicyAdapter policy.Adapter
IdentityAdapter identity.Adapter
Superuser identity.User
JWTRealm string
@@ -68,9 +68,10 @@ func New(config Config) (IAM, error) {
return nil, err
}
am, err := access.New(access.Config{
Adapter: config.PolicyAdapter,
Logger: config.Logger,
am, err := policy.New(policy.Config{
Superuser: "$superuser",
Adapter: config.PolicyAdapter,
Logger: config.Logger,
})
if err != nil {
return nil, err
@@ -126,16 +127,12 @@ func (i *iam) Enforce(name, domain, rtype, resource, action string) bool {
name = "$superuser"
}
ok, rule := i.am.Enforce(name, domain, rtype, resource, action)
ok, policy := i.am.Enforce(name, domain, rtype, resource, action)
if !ok {
l.Log("no match")
} else {
if name == "$superuser" {
rule = ""
}
l.WithField("rule", rule).Log("match")
l.WithField("policy", policy).Log("match")
}
return ok
@@ -234,11 +231,11 @@ func (i *iam) RemovePolicy(name, domain string, types []string, resource string,
}
}
return i.am.RemovePolicy(name, domain, types, resource, actions)
return i.am.RemovePolicy(name, domain)
}
func (i *iam) ListPolicies(name, domain string, types []string, resource string, actions []string) []access.Policy {
return i.am.ListPolicies(name, domain, types, resource, actions)
func (i *iam) ListPolicies(name, domain string, types []string, resource string, actions []string) []policy.Policy {
return i.am.ListPolicies(name, domain)
}
func (i *iam) ReloadPolicies() error {

35
iam/policy/access.go Normal file
View File

@@ -0,0 +1,35 @@
package policy
import (
"fmt"
"strings"
)
type Policy struct {
Name string
Domain string
Types []string
Resource string
Actions []string
}
func (p Policy) String() string {
return fmt.Sprintf("%s@%s (%s):%s %s", p.Name, p.Domain, strings.Join(p.Types, "|"), p.Resource, strings.Join(p.Actions, "|"))
}
type Enforcer interface {
Enforce(name, domain, rtype, resource, action string) (bool, Policy)
HasDomain(name string) bool
ListDomains() []string
}
type Manager interface {
Enforcer
HasPolicy(name, domain string, types []string, resource string, actions []string) bool
AddPolicy(name, domain string, types []string, resource string, actions []string) error
RemovePolicy(name, domain string) error
ListPolicies(name, domain string) []Policy
ReloadPolicies() error
}

418
iam/policy/adapter.go Normal file
View File

@@ -0,0 +1,418 @@
package policy
import (
"encoding/json"
"errors"
"fmt"
"sort"
"strings"
"sync"
"github.com/datarhei/core/v16/io/fs"
"github.com/datarhei/core/v16/log"
)
type policyadapter struct {
fs fs.Filesystem
filePath string
logger log.Logger
domains []Domain
lock sync.Mutex
}
type Adapter interface {
AddPolicy(policy Policy) error
LoadPolicy(model Model) error
RemovePolicy(policy Policy) error
SavePolicy(model Model) error
AddPolicies(policies []Policy) error
RemovePolicies(policies []Policy) error
AllDomains() []string
HasDomain(string) bool
}
func NewJSONAdapter(fs fs.Filesystem, filePath string, logger log.Logger) (Adapter, error) {
a := &policyadapter{
fs: fs,
filePath: filePath,
logger: logger,
}
if a.fs == nil {
return nil, fmt.Errorf("a filesystem has to be provided")
}
if len(a.filePath) == 0 {
return nil, fmt.Errorf("invalid file path, file path cannot be empty")
}
if a.logger == nil {
a.logger = log.New("")
}
return a, nil
}
// Adapter
func (a *policyadapter) LoadPolicy(model Model) error {
a.lock.Lock()
defer a.lock.Unlock()
return a.loadPolicyFile(model)
}
func (a *policyadapter) loadPolicyFile(model Model) error {
if _, err := a.fs.Stat(a.filePath); err != nil {
if errors.Is(err, fs.ErrNotExist) {
a.domains = []Domain{}
return nil
}
return err
}
data, err := a.fs.ReadFile(a.filePath)
if err != nil {
return err
}
domains := []Domain{}
err = json.Unmarshal(data, &domains)
if err != nil {
return err
}
for _, domain := range domains {
for _, policy := range domain.Policies {
rtypes, resource := DecodeResource(policy.Resource)
p := normalizePolicy(Policy{
Name: policy.Username,
Domain: domain.Name,
Types: rtypes,
Resource: resource,
Actions: DecodeActions(policy.Actions),
})
if err := a.importPolicy(model, p); err != nil {
return err
}
}
}
a.domains = domains
return nil
}
func (a *policyadapter) importPolicy(model Model, policy Policy) error {
a.logger.Debug().WithFields(log.Fields{
"subject": policy.Name,
"domain": policy.Domain,
"types": policy.Types,
"resource": policy.Resource,
"actions": policy.Actions,
}).Log("Imported policy")
model.AddPolicy(policy)
return nil
}
// Adapter
func (a *policyadapter) SavePolicy(model Model) error {
a.lock.Lock()
defer a.lock.Unlock()
return a.savePolicyFile()
}
func (a *policyadapter) savePolicyFile() error {
jsondata, err := json.MarshalIndent(a.domains, "", " ")
if err != nil {
return err
}
_, _, err = a.fs.WriteFileSafe(a.filePath, jsondata)
return err
}
// Adapter (auto-save)
func (a *policyadapter) AddPolicy(policy Policy) error {
a.lock.Lock()
defer a.lock.Unlock()
err := a.addPolicy(policy)
if err != nil {
return err
}
return a.savePolicyFile()
}
// BatchAdapter (auto-save)
func (a *policyadapter) AddPolicies(policies []Policy) error {
a.lock.Lock()
defer a.lock.Unlock()
for _, policy := range policies {
err := a.addPolicy(policy)
if err != nil {
return err
}
}
return a.savePolicyFile()
}
func (a *policyadapter) addPolicy(policy Policy) error {
ok, err := a.hasPolicy(policy)
if err != nil {
return err
}
if ok {
// the policy is already there, nothing to add
return nil
}
policy = normalizePolicy(policy)
username := policy.Name
domain := policy.Domain
resource := EncodeResource(policy.Types, policy.Resource)
actions := EncodeActions(policy.Actions)
a.logger.Debug().WithFields(log.Fields{
"subject": username,
"domain": domain,
"resource": resource,
"actions": actions,
}).Log("Adding policy")
var dom *Domain = nil
for i := range a.domains {
if a.domains[i].Name == domain {
dom = &a.domains[i]
break
}
}
if dom == nil {
g := Domain{
Name: domain,
Policies: []DomainPolicy{},
}
a.domains = append(a.domains, g)
dom = &a.domains[len(a.domains)-1]
}
dom.Policies = append(dom.Policies, DomainPolicy{
Username: username,
Resource: resource,
Actions: actions,
})
return nil
}
func (a *policyadapter) hasPolicy(policy Policy) (bool, error) {
policy = normalizePolicy(policy)
username := policy.Name
domain := policy.Domain
resource := EncodeResource(policy.Types, policy.Resource)
actions := EncodeActions(policy.Actions)
var dom *Domain = nil
for i := range a.domains {
if a.domains[i].Name == domain {
dom = &a.domains[i]
break
}
}
if dom == nil {
// if we can't find any domain with that name, then the policy doesn't exist
return false, nil
}
for _, p := range dom.Policies {
if p.Username == username && p.Resource == resource && p.Actions == actions {
return true, nil
}
}
return false, nil
}
// Adapter (auto-save)
func (a *policyadapter) RemovePolicy(policy Policy) error {
a.lock.Lock()
defer a.lock.Unlock()
err := a.removePolicy(policy)
if err != nil {
return err
}
return a.savePolicyFile()
}
// BatchAdapter (auto-save)
func (a *policyadapter) RemovePolicies(policies []Policy) error {
a.lock.Lock()
defer a.lock.Unlock()
for _, policy := range policies {
err := a.removePolicy(policy)
if err != nil {
return err
}
}
return a.savePolicyFile()
}
func (a *policyadapter) removePolicy(policy Policy) error {
ok, err := a.hasPolicy(policy)
if err != nil {
return err
}
if !ok {
// the policy is not there, nothing to remove
return nil
}
policy = normalizePolicy(policy)
username := policy.Name
domain := policy.Domain
resource := EncodeResource(policy.Types, policy.Resource)
actions := EncodeActions(policy.Actions)
a.logger.Debug().WithFields(log.Fields{
"subject": username,
"domain": domain,
"resource": resource,
"actions": actions,
}).Log("Removing policy")
var dom *Domain = nil
for i := range a.domains {
if a.domains[i].Name == domain {
dom = &a.domains[i]
break
}
}
policies := []DomainPolicy{}
for _, p := range dom.Policies {
if p.Username == username && p.Resource == resource && p.Actions == actions {
continue
}
policies = append(policies, p)
}
dom.Policies = policies
// Remove the group if there are no rules and policies
if len(dom.Policies) == 0 {
groups := []Domain{}
for _, g := range a.domains {
if g.Name == dom.Name {
continue
}
groups = append(groups, g)
}
a.domains = groups
}
return nil
}
// Adapter
func (a *policyadapter) RemoveFilteredPolicy(sec string, ptype string, fieldIndex int, fieldValues ...string) error {
return fmt.Errorf("not implemented")
}
func (a *policyadapter) AllDomains() []string {
a.lock.Lock()
defer a.lock.Unlock()
names := []string{}
for _, domain := range a.domains {
if domain.Name[0] == '$' {
continue
}
names = append(names, domain.Name)
}
return names
}
func (a *policyadapter) HasDomain(name string) bool {
a.lock.Lock()
defer a.lock.Unlock()
for _, domain := range a.domains {
if domain.Name[0] == '$' {
continue
}
if domain.Name == name {
return true
}
}
return false
}
type Domain struct {
Name string `json:"name"`
Policies []DomainPolicy `json:"policies"`
}
type DomainPolicy struct {
Username string `json:"username"`
Resource string `json:"resource"`
Actions string `json:"actions"`
}
func EncodeActions(actions []string) string {
return strings.Join(actions, "|")
}
func DecodeActions(actions string) []string {
return strings.Split(actions, "|")
}
func EncodeResource(types []string, resource string) string {
if len(types) == 0 {
return resource
}
sort.Strings(types)
return strings.Join(types, "|") + ":" + resource
}
func DecodeResource(resource string) ([]string, string) {
before, after, found := strings.Cut(resource, ":")
if !found {
return []string{"$none"}, resource
}
return strings.Split(before, "|"), after
}

65
iam/access/adapter_test.go → iam/policy/adapter_test.go
View File

@@ -1,4 +1,4 @@
package access
package policy
import (
"testing"
@@ -16,10 +16,16 @@ func TestAddPolicy(t *testing.T) {
ai, err := NewJSONAdapter(memfs, "/policy.json", nil)
require.NoError(t, err)
a, ok := ai.(*adapter)
a, ok := ai.(*policyadapter)
require.True(t, ok)
err = a.AddPolicy("p", "p", []string{"foobar", "group", "resource", "action"})
err = a.AddPolicy(Policy{
Name: "foobar",
Domain: "group",
Types: []string{},
Resource: "resource",
Actions: []string{"action"},
})
require.NoError(t, err)
require.Equal(t, 1, len(a.domains))
@@ -35,24 +41,11 @@ func TestAddPolicy(t *testing.T) {
require.Equal(t, 1, len(g[0].Policies))
require.Equal(t, DomainPolicy{
Username: "foobar",
Role: Role{
Resource: "resource",
Actions: "action",
},
Resource: "resource",
Actions: "action",
}, g[0].Policies[0])
}
func TestFormatActions(t *testing.T) {
data := [][]string{
{"a|b|c", "a|b|c"},
{"b|c|a", "a|b|c"},
}
for _, d := range data {
require.Equal(t, d[1], formatList(d[0]), d[0])
}
}
func TestRemovePolicy(t *testing.T) {
memfs, err := fs.NewMemFilesystem(fs.MemConfig{})
require.NoError(t, err)
@@ -60,25 +53,49 @@ func TestRemovePolicy(t *testing.T) {
ai, err := NewJSONAdapter(memfs, "/policy.json", nil)
require.NoError(t, err)
a, ok := ai.(*adapter)
a, ok := ai.(*policyadapter)
require.True(t, ok)
err = a.AddPolicies("p", "p", [][]string{
{"foobar1", "group", "resource1", "action1"},
{"foobar2", "group", "resource2", "action2"},
err = a.AddPolicies([]Policy{
{
Name: "foobar1",
Domain: "group",
Types: []string{},
Resource: "resource1",
Actions: []string{"action1"},
},
{
Name: "foobar2",
Domain: "group",
Types: []string{},
Resource: "resource2",
Actions: []string{"action2"},
},
})
require.NoError(t, err)
require.Equal(t, 1, len(a.domains))
require.Equal(t, 2, len(a.domains[0].Policies))
err = a.RemovePolicy("p", "p", []string{"foobar1", "group", "resource1", "action1"})
err = a.RemovePolicy(Policy{
Name: "foobar1",
Domain: "group",
Types: []string{},
Resource: "resource1",
Actions: []string{"action1"},
})
require.NoError(t, err)
require.Equal(t, 1, len(a.domains))
require.Equal(t, 1, len(a.domains[0].Policies))
err = a.RemovePolicy("p", "p", []string{"foobar2", "group", "resource2", "action2"})
err = a.RemovePolicy(Policy{
Name: "foobar2",
Domain: "group",
Types: []string{},
Resource: "resource2",
Actions: []string{"action2"},
})
require.NoError(t, err)
require.Equal(t, 0, len(a.domains))

93
iam/policy/enforcer.go Normal file
View File

@@ -0,0 +1,93 @@
package policy
import (
"github.com/puzpuzpuz/xsync/v3"
)
type PolicyEnforcer struct {
model Model
adapter Adapter
lock *xsync.RBMutex
}
func NewEnforcer(model Model, adapter Adapter) *PolicyEnforcer {
e := &PolicyEnforcer{
model: model,
adapter: adapter,
lock: xsync.NewRBMutex(),
}
e.ReloadPolicies()
return e
}
func (e *PolicyEnforcer) HasPolicy(policy Policy) bool {
token := e.lock.RLock()
defer e.lock.RUnlock(token)
return e.model.HasPolicy(policy)
}
func (e *PolicyEnforcer) AddPolicy(policy Policy) error {
token := e.lock.RLock()
defer e.lock.RUnlock(token)
err := e.model.AddPolicy(policy)
if err != nil {
return err
}
if e.adapter != nil {
e.adapter.AddPolicy(policy)
}
return nil
}
func (e *PolicyEnforcer) RemovePolicies(policies []Policy) error {
token := e.lock.RLock()
defer e.lock.RUnlock(token)
err := e.model.RemovePolicies(policies)
if err != nil {
return err
}
if e.adapter != nil {
e.adapter.RemovePolicies(policies)
}
return nil
}
func (e *PolicyEnforcer) GetFilteredPolicy(name, domain string) []Policy {
token := e.lock.RLock()
defer e.lock.RUnlock(token)
return e.model.GetFilteredPolicy(name, domain)
}
func (e *PolicyEnforcer) ReloadPolicies() error {
e.lock.Lock()
defer e.lock.Unlock()
e.model.ClearPolicy()
return e.adapter.LoadPolicy(e.model)
}
func (e *PolicyEnforcer) Enforce(name, domain, rtype, resource, action string) (bool, Policy) {
token := e.lock.RLock()
defer e.lock.RUnlock(token)
return e.model.Enforce(name, domain, rtype, resource, action)
}
func (e *PolicyEnforcer) HasDomain(name string) bool {
return e.adapter.HasDomain(name)
}
func (e *PolicyEnforcer) ListDomains() []string {
return e.adapter.AllDomains()
}

0
iam/access/fixtures/policy.json → iam/policy/fixtures/policy.json
View File

92
iam/policy/manager.go Normal file
View File

@@ -0,0 +1,92 @@
package policy
import (
"fmt"
"github.com/datarhei/core/v16/log"
)
type policyaccess struct {
logger log.Logger
adapter Adapter
model Model
enforcer *PolicyEnforcer
}
type Config struct {
Adapter Adapter
Logger log.Logger
Superuser string
}
func New(config Config) (Manager, error) {
am := &policyaccess{
adapter: config.Adapter,
logger: config.Logger,
}
if am.adapter == nil {
return nil, fmt.Errorf("missing adapter")
}
if am.logger == nil {
am.logger = log.New("")
}
m := NewModel(config.Superuser)
e := NewEnforcer(m, am.adapter)
am.enforcer = e
am.model = m
return am, nil
}
func (am *policyaccess) Enforce(name, domain, rtype, resource, action string) (bool, Policy) {
return am.enforcer.Enforce(name, domain, rtype, resource, action)
}
func (am *policyaccess) HasPolicy(name, domain string, types []string, resource string, actions []string) bool {
return am.enforcer.HasPolicy(Policy{
Name: name,
Domain: domain,
Types: types,
Resource: resource,
Actions: actions,
})
}
func (am *policyaccess) AddPolicy(name, domain string, types []string, resource string, actions []string) error {
policy := Policy{
Name: name,
Domain: domain,
Types: types,
Resource: resource,
Actions: actions,
}
return am.enforcer.AddPolicy(policy)
}
func (am *policyaccess) RemovePolicy(name, domain string) error {
policies := am.enforcer.GetFilteredPolicy(name, domain)
return am.enforcer.RemovePolicies(policies)
}
func (am *policyaccess) ListPolicies(name, domain string) []Policy {
return am.enforcer.GetFilteredPolicy(name, domain)
}
func (am *policyaccess) ReloadPolicies() error {
return am.enforcer.ReloadPolicies()
}
func (am *policyaccess) HasDomain(name string) bool {
return am.adapter.HasDomain(name)
}
func (am *policyaccess) ListDomains() []string {
return am.adapter.AllDomains()
}

63
iam/access/access_test.go → iam/policy/manager_test.go
View File

@@ -1,9 +1,13 @@
package access
package policy
import (
"fmt"
"math/rand/v2"
"sync"
"testing"
"github.com/datarhei/core/v16/io/fs"
"github.com/stretchr/testify/require"
)
@@ -26,7 +30,7 @@ func TestAccessManager(t *testing.T) {
})
require.NoError(t, err)
policies := am.ListPolicies("", "", nil, "", nil)
policies := am.ListPolicies("", "")
require.ElementsMatch(t, []Policy{
{
Name: "ingo",
@@ -46,7 +50,7 @@ func TestAccessManager(t *testing.T) {
am.AddPolicy("foobar", "group", []string{"bla", "blubb"}, "/", []string{"write"})
policies = am.ListPolicies("", "", nil, "", nil)
policies = am.ListPolicies("", "")
require.ElementsMatch(t, []Policy{
{
Name: "ingo",
@@ -75,9 +79,9 @@ func TestAccessManager(t *testing.T) {
require.True(t, am.HasDomain("group"))
require.False(t, am.HasDomain("$none"))
am.RemovePolicy("ingo", "", nil, "", nil)
am.RemovePolicy("ingo", "")
policies = am.ListPolicies("", "", nil, "", nil)
policies = am.ListPolicies("", "")
require.ElementsMatch(t, []Policy{
{
Name: "foobar",
@@ -112,12 +116,57 @@ func BenchmarkEnforce(b *testing.B) {
})
require.NoError(b, err)
am.AddPolicy("$anon", "$none", []string{"foobar"}, "**", []string{"ANY"})
names := []string{}
for i := 0; i < 1000; i++ {
name := fmt.Sprintf("user%d", i)
names = append(names, name)
am.AddPolicy(name, "$none", []string{"foobar"}, "**", []string{"ANY"})
}
b.ResetTimer()
for i := 0; i < b.N; i++ {
ok, _ := am.Enforce("$anon", "$none", "foobar", "baz", "read")
name := names[rand.IntN(1000)]
ok, _ := am.Enforce(name, "$none", "foobar", "baz", "read")
require.True(b, ok)
}
}
func BenchmarkConcurrentEnforce(b *testing.B) {
adapter, err := createAdapter()
require.NoError(b, err)
am, err := New(Config{
Adapter: adapter,
Logger: nil,
})
require.NoError(b, err)
names := []string{}
for i := 0; i < 1000; i++ {
name := fmt.Sprintf("user%d", i)
names = append(names, name)
am.AddPolicy(name, "$none", []string{"foobar"}, "**", []string{"ANY"})
}
b.ResetTimer()
readerWg := sync.WaitGroup{}
for i := 0; i < 1000; i++ {
readerWg.Add(1)
go func() {
defer readerWg.Done()
for i := 0; i < b.N; i++ {
name := names[rand.IntN(1000)]
ok, _ := am.Enforce(name, "$none", "foobar", "baz", "read")
require.True(b, ok)
}
}()
}
readerWg.Wait()
}

72
iam/policy/matcher.go Normal file
View File

@@ -0,0 +1,72 @@
package policy
import (
"slices"
"sync"
"github.com/datarhei/core/v16/glob"
)
var globcache = map[string]glob.Glob{}
var globcacheMu = sync.RWMutex{}
func resourceMatch(requestType, requestResource string, policyTypes []string, policyResource string) bool {
var match bool = false
var err error = nil
if !slices.Contains(policyTypes, requestType) {
return false
}
key := requestType + policyResource
if requestType == "api" || requestType == "fs" || requestType == "rtmp" || requestType == "srt" {
globcacheMu.RLock()
matcher, ok := globcache[key]
globcacheMu.RUnlock()
if !ok {
matcher, err = glob.Compile(policyResource, rune('/'))
if err != nil {
return false
}
globcacheMu.Lock()
globcache[key] = matcher
globcacheMu.Unlock()
}
match = matcher.Match(requestResource)
} else {
globcacheMu.RLock()
matcher, ok := globcache[key]
globcacheMu.RUnlock()
if !ok {
matcher, err = glob.Compile(policyResource)
if err != nil {
return false
}
globcacheMu.Lock()
globcache[key] = matcher
globcacheMu.Unlock()
}
match = matcher.Match(requestResource)
}
return match
}
func actionMatch(requestAction string, policyActions []string, wildcard string) bool {
if len(policyActions) == 0 {
return false
}
if len(policyActions) == 1 && policyActions[0] == wildcard {
return true
}
if slices.Contains(policyActions, requestAction) {
return true
}
return false
}

35
iam/policy/matcher_test.go Normal file
View File

@@ -0,0 +1,35 @@
package policy
import (
"testing"
"github.com/stretchr/testify/require"
)
func TestResourceMatcher(t *testing.T) {
ok := resourceMatch("fs", "/", []string{"api", "fs"}, "/")
require.True(t, ok)
ok = resourceMatch("bla", "/", []string{"api", "fs"}, "/")
require.False(t, ok)
ok = resourceMatch("fs", "/foo", []string{"api", "fs"}, "/")
require.False(t, ok)
ok = resourceMatch("fs", "/foo", []string{"api", "fs"}, "/*")
require.True(t, ok)
ok = resourceMatch("fs", "/foo/boz", []string{"api", "fs"}, "/*")
require.False(t, ok)
ok = resourceMatch("fs", "/foo/boz", []string{"api", "fs"}, "/**")
require.True(t, ok)
}
func TestActionMatcher(t *testing.T) {
ok := actionMatch("get", []string{"any"}, "any")
require.True(t, ok)
ok = actionMatch("get", []string{"get", "head"}, "any")
require.True(t, ok)
}

238
iam/policy/model.go Normal file
View File

@@ -0,0 +1,238 @@
package policy
import (
"slices"
"strings"
"github.com/puzpuzpuz/xsync/v3"
)
type Model interface {
Enforce(name, domain, rtype, resource, action string) (bool, Policy)
HasPolicy(policy Policy) bool
AddPolicy(policy Policy) error
AddPolicies(policies []Policy) error
RemovePolicy(policy Policy) error
RemovePolicies(policies []Policy) error
GetFilteredPolicy(name, domain string) []Policy
ClearPolicy()
}
type model struct {
superuser string
policies map[string][]Policy // user@domain
lock *xsync.RBMutex
}
func NewModel(superuser string) Model {
m := &model{
superuser: superuser,
policies: map[string][]Policy{},
lock: xsync.NewRBMutex(),
}
return m
}
func (m *model) HasPolicy(policy Policy) bool {
token := m.lock.RLock()
defer m.lock.RUnlock(token)
return m.hasPolicy(policy)
}
func (m *model) hasPolicy(policy Policy) bool {
key := policy.Name + "@" + policy.Domain
policies, hasKey := m.policies[key]
if !hasKey {
return false
}
policy = normalizePolicy(policy)
for _, p := range policies {
if slices.Equal(p.Types, policy.Types) && p.Resource == policy.Resource && slices.Equal(p.Actions, policy.Actions) {
return true
}
}
return false
}
func (m *model) AddPolicy(policy Policy) error {
m.lock.Lock()
defer m.lock.Unlock()
return m.addPolicy(policy)
}
func (m *model) AddPolicies(policies []Policy) error {
m.lock.Lock()
defer m.lock.Unlock()
for _, policy := range policies {
m.addPolicy(policy)
}
return nil
}
func (m *model) addPolicy(policy Policy) error {
if m.hasPolicy(policy) {
return nil
}
policy = normalizePolicy(policy)
key := policy.Name + "@" + policy.Domain
policies, hasKey := m.policies[key]
if !hasKey {
policies = []Policy{}
}
policies = append(policies, policy)
m.policies[key] = policies
return nil
}
func (m *model) RemovePolicy(policy Policy) error {
m.lock.Lock()
defer m.lock.Unlock()
return m.removePolicy(policy)
}
func (m *model) RemovePolicies(policies []Policy) error {
m.lock.Lock()
defer m.lock.Unlock()
for _, policy := range policies {
m.removePolicy(policy)
}
return nil
}
func (m *model) removePolicy(policy Policy) error {
if !m.hasPolicy(policy) {
return nil
}
policy = normalizePolicy(policy)
key := policy.Name + "@" + policy.Domain
policies := m.policies[key]
newPolicies := []Policy{}
for _, p := range policies {
if slices.Equal(p.Types, policy.Types) && p.Resource == policy.Resource && slices.Equal(p.Actions, policy.Actions) {
continue
}
newPolicies = append(newPolicies, p)
}
if len(newPolicies) != 0 {
m.policies[key] = newPolicies
} else {
delete(m.policies, key)
}
return nil
}
func (m *model) GetFilteredPolicy(name, domain string) []Policy {
token := m.lock.RLock()
defer m.lock.RUnlock(token)
filteredPolicies := []Policy{}
if len(name) == 0 && len(domain) == 0 {
for _, policies := range m.policies {
filteredPolicies = append(filteredPolicies, policies...)
}
} else if len(name) != 0 && len(domain) == 0 {
for key, policies := range m.policies {
if !strings.HasPrefix(key, name+"@") {
continue
}
filteredPolicies = append(filteredPolicies, policies...)
}
} else if len(name) == 0 && len(domain) != 0 {
for key, policies := range m.policies {
if !strings.HasSuffix(key, "@"+domain) {
continue
}
filteredPolicies = append(filteredPolicies, policies...)
}
} else {
for key, policies := range m.policies {
before, after, _ := strings.Cut(key, "@")
if name != before || domain != after {
continue
}
filteredPolicies = append(filteredPolicies, policies...)
}
}
return filteredPolicies
}
func (m *model) ClearPolicy() {
m.lock.Lock()
defer m.lock.Unlock()
m.policies = map[string][]Policy{}
}
func (m *model) Enforce(name, domain, rtype, resource, action string) (bool, Policy) {
token := m.lock.RLock()
defer m.lock.RUnlock(token)
if name == m.superuser {
return true, Policy{
Name: m.superuser,
}
}
key := name + "@" + domain
policies, hasKey := m.policies[key]
if !hasKey {
return false, Policy{}
}
rtype = strings.ToLower(rtype)
action = strings.ToLower(action)
for _, p := range policies {
if resourceMatch(rtype, resource, p.Types, p.Resource) && actionMatch(action, p.Actions, "any") {
return true, p
}
}
return false, Policy{}
}
func normalizePolicy(p Policy) Policy {
for i, t := range p.Types {
p.Types[i] = strings.ToLower(t)
}
slices.Sort(p.Types)
for i, a := range p.Actions {
p.Actions[i] = strings.ToLower(a)
}
slices.Sort(p.Actions)
return p
}

354
iam/policy/model_test.go Normal file
View File

@@ -0,0 +1,354 @@
package policy
import (
"testing"
"github.com/stretchr/testify/require"
)
func TestNormalizePolicy(t *testing.T) {
p := Policy{
Name: "foobar",
Domain: "domain",
Types: []string{"fs", "API", "rtMp", "srt"},
Resource: "/foo/**",
Actions: []string{"Head", "OPtionS", "GET"},
}
p = normalizePolicy(p)
require.Equal(t, Policy{
Name: "foobar",
Domain: "domain",
Types: []string{"api", "fs", "rtmp", "srt"},
Resource: "/foo/**",
Actions: []string{"get", "head", "options"},
}, p)
}
func TestModelNew(t *testing.T) {
m := NewModel("$superuser").(*model)
require.Equal(t, m.superuser, "$superuser")
require.NotNil(t, m.policies)
require.NotNil(t, m.lock)
}
func TestModelAddPolicy(t *testing.T) {
p := Policy{
Name: "foobar",
Domain: "domain",
Types: []string{"fs", "API", "rtMp", "srt"},
Resource: "/foo/**",
Actions: []string{"Head", "OPtionS", "GET"},
}
m := NewModel("$superuser").(*model)
err := m.AddPolicy(p)
require.NoError(t, err)
require.Equal(t, 1, len(m.policies))
require.Equal(t, 1, len(m.policies["foobar@domain"]))
require.Equal(t, Policy{
Name: "foobar",
Domain: "domain",
Types: []string{"api", "fs", "rtmp", "srt"},
Resource: "/foo/**",
Actions: []string{"get", "head", "options"},
}, m.policies["foobar@domain"][0])
m.AddPolicies([]Policy{p, p, p})
require.Equal(t, 1, len(m.policies))
require.Equal(t, 1, len(m.policies["foobar@domain"]))
p.Resource = "/bar/*"
m.AddPolicy(p)
require.Equal(t, 2, len(m.policies["foobar@domain"]))
p.Name = "foobaz"
m.AddPolicy(p)
require.Equal(t, 2, len(m.policies))
require.Equal(t, 1, len(m.policies["foobaz@domain"]))
}
func TestModelHasPolicy(t *testing.T) {
p := Policy{
Name: "foobar",
Domain: "domain",
Types: []string{"fs", "API", "rtMp", "srt"},
Resource: "/foo/**",
Actions: []string{"Head", "OPtionS", "GET"},
}
m := NewModel("$superuser").(*model)
ok := m.HasPolicy(p)
require.False(t, ok)
m.AddPolicy(p)
ok = m.HasPolicy(p)
require.True(t, ok)
ok = m.HasPolicy(Policy{
Name: "foobaz",
Domain: "domain",
Types: []string{"fs", "API", "rtMp", "srt"},
Resource: "/foo/**",
Actions: []string{"Head", "OPtionS", "GET", "put"},
})
require.False(t, ok)
ok = m.HasPolicy(Policy{
Name: "foobar",
Domain: "domaim",
Types: []string{"fs", "API", "rtMp", "srt"},
Resource: "/foo/**",
Actions: []string{"Head", "OPtionS", "GET", "put"},
})
require.False(t, ok)
ok = m.HasPolicy(Policy{
Name: "foobar",
Domain: "domain",
Types: []string{"API", "rtMp", "srt"},
Resource: "/foo/**",
Actions: []string{"Head", "OPtionS", "GET", "put"},
})
require.False(t, ok)
ok = m.HasPolicy(Policy{
Name: "foobar",
Domain: "domain",
Types: []string{"fs", "API", "rtMp", "srt"},
Resource: "/foo/*",
Actions: []string{"Head", "OPtionS", "GET", "put"},
})
require.False(t, ok)
ok = m.HasPolicy(Policy{
Name: "foobar",
Domain: "domain",
Types: []string{"fs", "API", "rtMp", "srt"},
Resource: "/foo/**",
Actions: []string{"Head", "OPtionS", "GET", "pot"},
})
require.False(t, ok)
}
func TestModelRemovePolicy(t *testing.T) {
p := Policy{
Name: "foobar",
Domain: "domain",
Types: []string{"fs", "API", "rtMp", "srt"},
Resource: "/foo/**",
Actions: []string{"Head", "OPtionS", "GET"},
}
m := NewModel("$superuser").(*model)
m.AddPolicy(p)
p.Resource = "/bar/*"
m.AddPolicy(p)
require.Equal(t, 2, len(m.policies["foobar@domain"]))
err := m.RemovePolicy(Policy{
Name: "foobar",
Domain: "domain",
Types: []string{"fs", "API", "rtMp", "srt"},
Resource: "/foo/**",
Actions: []string{"Head", "OPtionS", "GET", "put"},
})
require.NoError(t, err)
require.Equal(t, 2, len(m.policies["foobar@domain"]))
err = m.RemovePolicy(p)
require.NoError(t, err)
require.Equal(t, 1, len(m.policies))
require.Equal(t, 1, len(m.policies["foobar@domain"]))
}
func TestModelListPolicies(t *testing.T) {
p := Policy{
Name: "foobar",
Domain: "domain",
Types: []string{"fs", "API", "rtMp", "srt"},
Resource: "/foo/**",
Actions: []string{"Head", "OPtionS", "GET"},
}
m := NewModel("$superuser").(*model)
policies := m.GetFilteredPolicy("", "")
require.Equal(t, 0, len(policies))
m.addPolicy(p)
p.Resource = "/bar/*"
m.addPolicy(p)
p.Name = "foobaz"
m.addPolicy(p)
p.Domain = "group"
m.addPolicy(p)
policies = m.GetFilteredPolicy("", "")
require.Equal(t, 4, len(policies))
require.ElementsMatch(t, []Policy{
{
Name: "foobar",
Domain: "domain",
Types: []string{"api", "fs", "rtmp", "srt"},
Resource: "/foo/**",
Actions: []string{"get", "head", "options"},
},
{
Name: "foobar",
Domain: "domain",
Types: []string{"api", "fs", "rtmp", "srt"},
Resource: "/bar/*",
Actions: []string{"get", "head", "options"},
},
{
Name: "foobaz",
Domain: "domain",
Types: []string{"api", "fs", "rtmp", "srt"},
Resource: "/bar/*",
Actions: []string{"get", "head", "options"},
},
{
Name: "foobaz",
Domain: "group",
Types: []string{"api", "fs", "rtmp", "srt"},
Resource: "/bar/*",
Actions: []string{"get", "head", "options"},
},
}, policies)
policies = m.GetFilteredPolicy("foobar", "")
require.Equal(t, 2, len(policies))
require.ElementsMatch(t, []Policy{
{
Name: "foobar",
Domain: "domain",
Types: []string{"api", "fs", "rtmp", "srt"},
Resource: "/foo/**",
Actions: []string{"get", "head", "options"},
},
{
Name: "foobar",
Domain: "domain",
Types: []string{"api", "fs", "rtmp", "srt"},
Resource: "/bar/*",
Actions: []string{"get", "head", "options"},
},
}, policies)
policies = m.GetFilteredPolicy("", "group")
require.Equal(t, 1, len(policies))
require.ElementsMatch(t, []Policy{
{
Name: "foobaz",
Domain: "group",
Types: []string{"api", "fs", "rtmp", "srt"},
Resource: "/bar/*",
Actions: []string{"get", "head", "options"},
},
}, policies)
policies = m.GetFilteredPolicy("foobaz", "domain")
require.Equal(t, 1, len(policies))
require.ElementsMatch(t, []Policy{
{
Name: "foobaz",
Domain: "domain",
Types: []string{"api", "fs", "rtmp", "srt"},
Resource: "/bar/*",
Actions: []string{"get", "head", "options"},
},
}, policies)
policies = m.GetFilteredPolicy("foobar", "group")
require.Equal(t, 0, len(policies))
}
func TestModelEnforce(t *testing.T) {
p := Policy{
Name: "foobar",
Domain: "domain",
Types: []string{"fs", "API", "rtMp", "srt"},
Resource: "/foo/**",
Actions: []string{"Head", "OPtionS", "GET", "play"},
}
m := NewModel("$superuser").(*model)
policies := m.GetFilteredPolicy("", "")
require.Equal(t, 0, len(policies))
m.addPolicy(p)
ok, _ := m.Enforce("$superuser", "xxx", "something", "/nothing", "anything")
require.True(t, ok)
ok, _ = m.Enforce("foobar", "domain", "rtmp", "/foo/bar/baz", "play")
require.True(t, ok)
ok, _ = m.Enforce("foobar", "domain", "rtmp", "/foo/bar/baz", "publish")
require.False(t, ok)
ok, _ = m.Enforce("foobar", "domain", "rtmp", "/fo/bar/baz", "play")
require.False(t, ok)
ok, _ = m.Enforce("foobar", "domain", "rtsp", "/foo/bar/baz", "play")
require.False(t, ok)
ok, _ = m.Enforce("foobar", "group", "rtmp", "/foo/bar/baz", "play")
require.False(t, ok)
ok, _ = m.Enforce("foobaz", "domain", "rtmp", "/foo/bar/baz", "play")
require.False(t, ok)
}
func TestModelClear(t *testing.T) {
p := Policy{
Name: "foobar",
Domain: "domain",
Types: []string{"fs", "API", "rtMp", "srt"},
Resource: "/foo/**",
Actions: []string{"Head", "OPtionS", "GET"},
}
m := NewModel("$superuser").(*model)
policies := m.GetFilteredPolicy("", "")
require.Equal(t, 0, len(policies))
m.addPolicy(p)
p.Resource = "/bar/*"
m.addPolicy(p)
p.Name = "foobaz"
m.addPolicy(p)
p.Domain = "group"
m.addPolicy(p)
policies = m.GetFilteredPolicy("", "")
require.Equal(t, 4, len(policies))
m.ClearPolicy()
policies = m.GetFilteredPolicy("", "")
require.Equal(t, 0, len(policies))
require.Empty(t, m.policies)
}

4
restream/core_test.go
View File

@@ -10,8 +10,8 @@ import (
"github.com/datarhei/core/v16/ffmpeg"
"github.com/datarhei/core/v16/iam"
iamaccess "github.com/datarhei/core/v16/iam/access"
iamidentity "github.com/datarhei/core/v16/iam/identity"
"github.com/datarhei/core/v16/iam/policy"
"github.com/datarhei/core/v16/internal/testhelper"
"github.com/datarhei/core/v16/io/fs"
"github.com/datarhei/core/v16/net"
@@ -47,7 +47,7 @@ func getDummyRestreamer(portrange net.Portranger, validatorIn, validatorOut ffmp
return nil, err
}
policyAdapter, err := iamaccess.NewJSONAdapter(memfs, "./policy.json", nil)
policyAdapter, err := policy.NewJSONAdapter(memfs, "./policy.json", nil)
if err != nil {
return nil, err
}

4
restream/rewrite/rewrite_test.go
View File

@@ -5,8 +5,8 @@ import (
"testing"
"github.com/datarhei/core/v16/iam"
iamaccess "github.com/datarhei/core/v16/iam/access"
iamidentity "github.com/datarhei/core/v16/iam/identity"
"github.com/datarhei/core/v16/iam/policy"
"github.com/datarhei/core/v16/io/fs"
"github.com/stretchr/testify/require"
@@ -18,7 +18,7 @@ func getIAM(enableBasic bool) (iam.IAM, error) {
return nil, err
}
policyAdapter, err := iamaccess.NewJSONAdapter(memfs, "./policy.json", nil)
policyAdapter, err := policy.NewJSONAdapter(memfs, "./policy.json", nil)
if err != nil {
return nil, err
}

30
vendor/github.com/casbin/casbin/v2/.gitignore generated vendored
View File

@@ -1,30 +0,0 @@
# Compiled Object files, Static and Dynamic libs (Shared Objects)
*.o
*.a
*.so
# Folders
_obj
_test
# Architecture specific extensions/prefixes
*.[568vq]
[568vq].out
*.cgo1.go
*.cgo2.c
_cgo_defun.c
_cgo_gotypes.go
_cgo_export.*
_testmain.go
*.exe
*.test
*.prof
.idea/
*.iml
# vendor files
vendor

354
vendor/github.com/casbin/casbin/v2/.golangci.yml generated vendored
View File

@@ -1,354 +0,0 @@
# Based on https://gist.github.com/maratori/47a4d00457a92aa426dbd48a18776322
# This code is licensed under the terms of the MIT license https://opensource.org/license/mit
# Copyright (c) 2021 Marat Reymers
## Golden config for golangci-lint v1.56.2
#
# This is the best config for golangci-lint based on my experience and opinion.
# It is very strict, but not extremely strict.
# Feel free to adapt and change it for your needs.
run:
# Timeout for analysis, e.g. 30s, 5m.
# Default: 1m
timeout: 3m
# This file contains only configs which differ from defaults.
# All possible options can be found here https://github.com/golangci/golangci-lint/blob/master/.golangci.reference.yml
linters-settings:
cyclop:
# The maximal code complexity to report.
# Default: 10
max-complexity: 30
# The maximal average package complexity.
# If it's higher than 0.0 (float) the check is enabled
# Default: 0.0
package-average: 10.0
errcheck:
# Report about not checking of errors in type assertions: `a := b.(MyStruct)`.
# Such cases aren't reported by default.
# Default: false
check-type-assertions: true
exhaustive:
# Program elements to check for exhaustiveness.
# Default: [ switch ]
check:
- switch
- map
exhaustruct:
# List of regular expressions to exclude struct packages and their names from checks.
# Regular expressions must match complete canonical struct package/name/structname.
# Default: []
exclude:
# std libs
- "^net/http.Client$"
- "^net/http.Cookie$"
- "^net/http.Request$"
- "^net/http.Response$"
- "^net/http.Server$"
- "^net/http.Transport$"
- "^net/url.URL$"
- "^os/exec.Cmd$"
- "^reflect.StructField$"
# public libs
- "^github.com/Shopify/sarama.Config$"
- "^github.com/Shopify/sarama.ProducerMessage$"
- "^github.com/mitchellh/mapstructure.DecoderConfig$"
- "^github.com/prometheus/client_golang/.+Opts$"
- "^github.com/spf13/cobra.Command$"
- "^github.com/spf13/cobra.CompletionOptions$"
- "^github.com/stretchr/testify/mock.Mock$"
- "^github.com/testcontainers/testcontainers-go.+Request$"
- "^github.com/testcontainers/testcontainers-go.FromDockerfile$"
- "^golang.org/x/tools/go/analysis.Analyzer$"
- "^google.golang.org/protobuf/.+Options$"
- "^gopkg.in/yaml.v3.Node$"
funlen:
# Checks the number of lines in a function.
# If lower than 0, disable the check.
# Default: 60
lines: 100
# Checks the number of statements in a function.
# If lower than 0, disable the check.
# Default: 40
statements: 50
# Ignore comments when counting lines.
# Default false
ignore-comments: true
gocognit:
# Minimal code complexity to report.
# Default: 30 (but we recommend 10-20)
min-complexity: 20
gocritic:
# Settings passed to gocritic.
# The settings key is the name of a supported gocritic checker.
# The list of supported checkers can be find in https://go-critic.github.io/overview.
settings:
captLocal:
# Whether to restrict checker to params only.
# Default: true
paramsOnly: false
underef:
# Whether to skip (*x).method() calls where x is a pointer receiver.
# Default: true
skipRecvDeref: false
gomnd:
# List of function patterns to exclude from analysis.
# Values always ignored: `time.Date`,
# `strconv.FormatInt`, `strconv.FormatUint`, `strconv.FormatFloat`,
# `strconv.ParseInt`, `strconv.ParseUint`, `strconv.ParseFloat`.
# Default: []
ignored-functions:
- flag.Arg
- flag.Duration.*
- flag.Float.*
- flag.Int.*
- flag.Uint.*
- os.Chmod
- os.Mkdir.*
- os.OpenFile
- os.WriteFile
- prometheus.ExponentialBuckets.*
- prometheus.LinearBuckets
gomodguard:
blocked:
# List of blocked modules.
# Default: []
modules:
- github.com/golang/protobuf:
recommendations:
- google.golang.org/protobuf
reason: "see https://developers.google.com/protocol-buffers/docs/reference/go/faq#modules"
- github.com/satori/go.uuid:
recommendations:
- github.com/google/uuid
reason: "satori's package is not maintained"
- github.com/gofrs/uuid:
recommendations:
- github.com/gofrs/uuid/v5
reason: "gofrs' package was not go module before v5"
govet:
# Enable all analyzers.
# Default: false
enable-all: true
# Disable analyzers by name.
# Run `go tool vet help` to see all analyzers.
# Default: []
disable:
- fieldalignment # too strict
# Settings per analyzer.
settings:
shadow:
# Whether to be strict about shadowing; can be noisy.
# Default: false
#strict: true
inamedparam:
# Skips check for interface methods with only a single parameter.
# Default: false
skip-single-param: true
nakedret:
# Make an issue if func has more lines of code than this setting, and it has naked returns.
# Default: 30
max-func-lines: 0
nolintlint:
# Exclude following linters from requiring an explanation.
# Default: []
allow-no-explanation: [ funlen, gocognit, lll ]
# Enable to require an explanation of nonzero length after each nolint directive.
# Default: false
require-explanation: true
# Enable to require nolint directives to mention the specific linter being suppressed.
# Default: false
require-specific: true
perfsprint:
# Optimizes into strings concatenation.
# Default: true
strconcat: false
rowserrcheck:
# database/sql is always checked
# Default: []
packages:
- github.com/jmoiron/sqlx
tenv:
# The option `all` will run against whole test files (`_test.go`) regardless of method/function signatures.
# Otherwise, only methods that take `*testing.T`, `*testing.B`, and `testing.TB` as arguments are checked.
# Default: false
all: true
stylecheck:
# STxxxx checks in https://staticcheck.io/docs/configuration/options/#checks
# Default: ["*"]
checks: ["all", "-ST1003"]
revive:
rules:
# https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#unused-parameter
- name: unused-parameter
disabled: true
linters:
disable-all: true
enable:
## enabled by default
#- errcheck # checking for unchecked errors, these unchecked errors can be critical bugs in some cases
- gosimple # specializes in simplifying a code
- govet # reports suspicious constructs, such as Printf calls whose arguments do not align with the format string
- ineffassign # detects when assignments to existing variables are not used
- staticcheck # is a go vet on steroids, applying a ton of static analysis checks
- typecheck # like the front-end of a Go compiler, parses and type-checks Go code
- unused # checks for unused constants, variables, functions and types
## disabled by default
- asasalint # checks for pass []any as any in variadic func(...any)
- asciicheck # checks that your code does not contain non-ASCII identifiers
- bidichk # checks for dangerous unicode character sequences
- bodyclose # checks whether HTTP response body is closed successfully
- cyclop # checks function and package cyclomatic complexity
- dupl # tool for code clone detection
- durationcheck # checks for two durations multiplied together
- errname # checks that sentinel errors are prefixed with the Err and error types are suffixed with the Error
#- errorlint # finds code that will cause problems with the error wrapping scheme introduced in Go 1.13
- execinquery # checks query string in Query function which reads your Go src files and warning it finds
- exhaustive # checks exhaustiveness of enum switch statements
- exportloopref # checks for pointers to enclosing loop variables
#- forbidigo # forbids identifiers
- funlen # tool for detection of long functions
- gocheckcompilerdirectives # validates go compiler directive comments (//go:)
#- gochecknoglobals # checks that no global variables exist
- gochecknoinits # checks that no init functions are present in Go code
- gochecksumtype # checks exhaustiveness on Go "sum types"
#- gocognit # computes and checks the cognitive complexity of functions
#- goconst # finds repeated strings that could be replaced by a constant
#- gocritic # provides diagnostics that check for bugs, performance and style issues
- gocyclo # computes and checks the cyclomatic complexity of functions
- godot # checks if comments end in a period
- goimports # in addition to fixing imports, goimports also formats your code in the same style as gofmt
#- gomnd # detects magic numbers
- gomoddirectives # manages the use of 'replace', 'retract', and 'excludes' directives in go.mod
- gomodguard # allow and block lists linter for direct Go module dependencies. This is different from depguard where there are different block types for example version constraints and module recommendations
- goprintffuncname # checks that printf-like functions are named with f at the end
- gosec # inspects source code for security problems
#- lll # reports long lines
- loggercheck # checks key value pairs for common logger libraries (kitlog,klog,logr,zap)
- makezero # finds slice declarations with non-zero initial length
- mirror # reports wrong mirror patterns of bytes/strings usage
- musttag # enforces field tags in (un)marshaled structs
- nakedret # finds naked returns in functions greater than a specified function length
- nestif # reports deeply nested if statements
- nilerr # finds the code that returns nil even if it checks that the error is not nil
#- nilnil # checks that there is no simultaneous return of nil error and an invalid value
- noctx # finds sending http request without context.Context
- nolintlint # reports ill-formed or insufficient nolint directives
#- nonamedreturns # reports all named returns
- nosprintfhostport # checks for misuse of Sprintf to construct a host with port in a URL
#- perfsprint # checks that fmt.Sprintf can be replaced with a faster alternative
- predeclared # finds code that shadows one of Go's predeclared identifiers
- promlinter # checks Prometheus metrics naming via promlint
- protogetter # reports direct reads from proto message fields when getters should be used
- reassign # checks that package variables are not reassigned
- revive # fast, configurable, extensible, flexible, and beautiful linter for Go, drop-in replacement of golint
- rowserrcheck # checks whether Err of rows is checked successfully
- sloglint # ensure consistent code style when using log/slog
- spancheck # checks for mistakes with OpenTelemetry/Census spans
- sqlclosecheck # checks that sql.Rows and sql.Stmt are closed
- stylecheck # is a replacement for golint
- tenv # detects using os.Setenv instead of t.Setenv since Go1.17
- testableexamples # checks if examples are testable (have an expected output)
- testifylint # checks usage of github.com/stretchr/testify
#- testpackage # makes you use a separate _test package
- tparallel # detects inappropriate usage of t.Parallel() method in your Go test codes
- unconvert # removes unnecessary type conversions
#- unparam # reports unused function parameters
- usestdlibvars # detects the possibility to use variables/constants from the Go standard library
- wastedassign # finds wasted assignment statements
- whitespace # detects leading and trailing whitespace
## you may want to enable
#- decorder # checks declaration order and count of types, constants, variables and functions
#- exhaustruct # [highly recommend to enable] checks if all structure fields are initialized
#- gci # controls golang package import order and makes it always deterministic
#- ginkgolinter # [if you use ginkgo/gomega] enforces standards of using ginkgo and gomega
#- godox # detects FIXME, TODO and other comment keywords
#- goheader # checks is file header matches to pattern
#- inamedparam # [great idea, but too strict, need to ignore a lot of cases by default] reports interfaces with unnamed method parameters
#- interfacebloat # checks the number of methods inside an interface
#- ireturn # accept interfaces, return concrete types
#- prealloc # [premature optimization, but can be used in some cases] finds slice declarations that could potentially be preallocated
#- tagalign # checks that struct tags are well aligned
#- varnamelen # [great idea, but too many false positives] checks that the length of a variable's name matches its scope
#- wrapcheck # checks that errors returned from external packages are wrapped
#- zerologlint # detects the wrong usage of zerolog that a user forgets to dispatch zerolog.Event
## disabled
#- containedctx # detects struct contained context.Context field
#- contextcheck # [too many false positives] checks the function whether use a non-inherited context
#- depguard # [replaced by gomodguard] checks if package imports are in a list of acceptable packages
#- dogsled # checks assignments with too many blank identifiers (e.g. x, _, _, _, := f())
#- dupword # [useless without config] checks for duplicate words in the source code
#- errchkjson # [don't see profit + I'm against of omitting errors like in the first example https://github.com/breml/errchkjson] checks types passed to the json encoding functions. Reports unsupported types and optionally reports occasions, where the check for the returned error can be omitted
#- forcetypeassert # [replaced by errcheck] finds forced type assertions
#- goerr113 # [too strict] checks the errors handling expressions
#- gofmt # [replaced by goimports] checks whether code was gofmt-ed
#- gofumpt # [replaced by goimports, gofumports is not available yet] checks whether code was gofumpt-ed
#- gosmopolitan # reports certain i18n/l10n anti-patterns in your Go codebase
#- grouper # analyzes expression groups
#- importas # enforces consistent import aliases
#- maintidx # measures the maintainability index of each function
#- misspell # [useless] finds commonly misspelled English words in comments
#- nlreturn # [too strict and mostly code is not more readable] checks for a new line before return and branch statements to increase code clarity
#- paralleltest # [too many false positives] detects missing usage of t.Parallel() method in your Go test
#- tagliatelle # checks the struct tags
#- thelper # detects golang test helpers without t.Helper() call and checks the consistency of test helpers
#- wsl # [too strict and mostly code is not more readable] whitespace linter forces you to use empty lines
## deprecated
#- deadcode # [deprecated, replaced by unused] finds unused code
#- exhaustivestruct # [deprecated, replaced by exhaustruct] checks if all struct's fields are initialized
#- golint # [deprecated, replaced by revive] golint differs from gofmt. Gofmt reformats Go source code, whereas golint prints out style mistakes
#- ifshort # [deprecated] checks that your code uses short syntax for if-statements whenever possible
#- interfacer # [deprecated] suggests narrower interface types
#- maligned # [deprecated, replaced by govet fieldalignment] detects Go structs that would take less memory if their fields were sorted
#- nosnakecase # [deprecated, replaced by revive var-naming] detects snake case of variable naming and function name
#- scopelint # [deprecated, replaced by exportloopref] checks for unpinned variables in go programs
#- structcheck # [deprecated, replaced by unused] finds unused struct fields
#- varcheck # [deprecated, replaced by unused] finds unused global variables and constants
issues:
# Maximum count of issues with the same text.
# Set to 0 to disable.
# Default: 3
max-same-issues: 50
exclude-rules:
- source: "(noinspection|TODO)"
linters: [ godot ]
- source: "//noinspection"
linters: [ gocritic ]
- path: "_test\\.go"
linters:
- bodyclose
- dupl
- funlen
- goconst
- gosec
- noctx
- wrapcheck
# TODO: remove after PR is released https://github.com/golangci/golangci-lint/pull/4386
- text: "fmt.Sprintf can be replaced with string addition"
linters: [ perfsprint ]

16
vendor/github.com/casbin/casbin/v2/.releaserc.json generated vendored
View File

@@ -1,16 +0,0 @@
{
"debug": true,
"branches": [
"+([0-9])?(.{+([0-9]),x}).x",
"master",
{
"name": "beta",
"prerelease": true
}
],
"plugins": [
"@semantic-release/commit-analyzer",
"@semantic-release/release-notes-generator",
"@semantic-release/github"
]
}

15
vendor/github.com/casbin/casbin/v2/.travis.yml generated vendored
View File

@@ -1,15 +0,0 @@
language: go
sudo: false
env:
- GO111MODULE=on
go:
- "1.11.13"
- "1.12"
- "1.13"
- "1.14"
script:
- make test

35
vendor/github.com/casbin/casbin/v2/CONTRIBUTING.md generated vendored
View File

@@ -1,35 +0,0 @@
# How to contribute
The following is a set of guidelines for contributing to casbin and its libraries, which are hosted at [casbin organization at Github](https://github.com/casbin).
This project adheres to the [Contributor Covenant 1.2.](https://www.contributor-covenant.org/version/1/2/0/code-of-conduct.html) By participating, you are expected to uphold this code. Please report unacceptable behavior to info@casbin.com.
## Questions
- We do our best to have an [up-to-date documentation](https://casbin.org/docs/overview)
- [Stack Overflow](https://stackoverflow.com) is the best place to start if you have a question. Please use the [casbin tag](https://stackoverflow.com/tags/casbin/info) we are actively monitoring. We encourage you to use Stack Overflow specially for Modeling Access Control Problems, in order to build a shared knowledge base.
- You can also join our [Discord](https://discord.gg/S5UjpzGZjN).
## Reporting issues
Reporting issues are a great way to contribute to the project. We are perpetually grateful about a well-written, through bug report.
Before raising a new issue, check our [issue list](https://github.com/casbin/casbin/issues) to determine if it already contains the problem that you are facing.
A good bug report shouldn't leave others needing to chase you for more information. Please be as detailed as possible. The following questions might serve as a template for writing a detailed report:
What were you trying to achieve?
What are the expected results?
What are the received results?
What are the steps to reproduce the issue?
In what environment did you encounter the issue?
Feature requests can also be submitted as issues.
## Pull requests
Good pull requests (e.g. patches, improvements, new features) are a fantastic help. They should remain focused in scope and avoid unrelated commits.
Please ask first before embarking on any significant pull request (e.g. implementing new features, refactoring code etc.), otherwise you risk spending a lot of time working on something that the maintainers might not want to merge into the project.
First add an issue to the project to discuss the improvement. Please adhere to the coding conventions used throughout the project. If in doubt, consult the [Effective Go style guide](https://golang.org/doc/effective_go.html).

201
vendor/github.com/casbin/casbin/v2/LICENSE generated vendored
View File

@@ -1,201 +0,0 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright {yyyy} {name of copyright owner}
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

18
vendor/github.com/casbin/casbin/v2/Makefile generated vendored
View File

@@ -1,18 +0,0 @@
SHELL = /bin/bash
export PATH := $(shell yarn global bin):$(PATH)
default: lint test
test:
go test -race -v ./...
benchmark:
go test -bench=.
lint:
golangci-lint run --verbose
release:
yarn global add semantic-release@17.2.4
semantic-release

296
vendor/github.com/casbin/casbin/v2/README.md generated vendored
View File

@@ -1,296 +0,0 @@
Casbin
====
[![Go Report Card](https://goreportcard.com/badge/github.com/casbin/casbin)](https://goreportcard.com/report/github.com/casbin/casbin)
[![Build](https://github.com/casbin/casbin/actions/workflows/default.yml/badge.svg)](https://github.com/casbin/casbin/actions/workflows/default.yml)
[![Coverage Status](https://coveralls.io/repos/github/casbin/casbin/badge.svg?branch=master)](https://coveralls.io/github/casbin/casbin?branch=master)
[![Godoc](https://godoc.org/github.com/casbin/casbin?status.svg)](https://pkg.go.dev/github.com/casbin/casbin/v2)
[![Release](https://img.shields.io/github/release/casbin/casbin.svg)](https://github.com/casbin/casbin/releases/latest)
[![Discord](https://img.shields.io/discord/1022748306096537660?logo=discord&label=discord&color=5865F2)](https://discord.gg/S5UjpzGZjN)
[![Sourcegraph](https://sourcegraph.com/github.com/casbin/casbin/-/badge.svg)](https://sourcegraph.com/github.com/casbin/casbin?badge)
**News**: still worry about how to write the correct Casbin policy? ``Casbin online editor`` is coming to help! Try it at: https://casbin.org/editor/
![casbin Logo](casbin-logo.png)
Casbin is a powerful and efficient open-source access control library for Golang projects. It provides support for enforcing authorization based on various [access control models](https://en.wikipedia.org/wiki/Computer_security_model).
<p align="center">
<sup>Sponsored by</sup>
<br>
<a href="https://stytch.com/docs?utm_source=oss-sponsorship&utm_medium=paid_sponsorship&utm_campaign=casbin">
<picture>
<source media="(prefers-color-scheme: dark)" srcset="https://cdn.casbin.org/img/stytch-white.png">
<source media="(prefers-color-scheme: light)" srcset="https://cdn.casbin.org/img/stytch-charcoal.png">
<img src="https://cdn.casbin.org/img/stytch-charcoal.png" width="275">
</picture>
</a><br/>
<a href="https://stytch.com/docs?utm_source=oss-sponsorship&utm_medium=paid_sponsorship&utm_campaign=casbin"><b>Build auth with fraud prevention, faster.</b><br/> Try Stytch for API-first authentication, user & org management, multi-tenant SSO, MFA, device fingerprinting, and more.</a>
<br>
</p>
## All the languages supported by Casbin:
| [![golang](https://casbin.org/img/langs/golang.png)](https://github.com/casbin/casbin) | [![java](https://casbin.org/img/langs/java.png)](https://github.com/casbin/jcasbin) | [![nodejs](https://casbin.org/img/langs/nodejs.png)](https://github.com/casbin/node-casbin) | [![php](https://casbin.org/img/langs/php.png)](https://github.com/php-casbin/php-casbin) |
|----------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|
| [Casbin](https://github.com/casbin/casbin) | [jCasbin](https://github.com/casbin/jcasbin) | [node-Casbin](https://github.com/casbin/node-casbin) | [PHP-Casbin](https://github.com/php-casbin/php-casbin) |
| production-ready | production-ready | production-ready | production-ready |
| [![python](https://casbin.org/img/langs/python.png)](https://github.com/casbin/pycasbin) | [![dotnet](https://casbin.org/img/langs/dotnet.png)](https://github.com/casbin-net/Casbin.NET) | [![c++](https://casbin.org/img/langs/cpp.png)](https://github.com/casbin/casbin-cpp) | [![rust](https://casbin.org/img/langs/rust.png)](https://github.com/casbin/casbin-rs) |
|------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------|
| [PyCasbin](https://github.com/casbin/pycasbin) | [Casbin.NET](https://github.com/casbin-net/Casbin.NET) | [Casbin-CPP](https://github.com/casbin/casbin-cpp) | [Casbin-RS](https://github.com/casbin/casbin-rs) |
| production-ready | production-ready | production-ready | production-ready |
## Table of contents
- [Supported models](#supported-models)
- [How it works?](#how-it-works)
- [Features](#features)
- [Installation](#installation)
- [Documentation](#documentation)
- [Online editor](#online-editor)
- [Tutorials](#tutorials)
- [Get started](#get-started)
- [Policy management](#policy-management)
- [Policy persistence](#policy-persistence)
- [Policy consistence between multiple nodes](#policy-consistence-between-multiple-nodes)
- [Role manager](#role-manager)
- [Benchmarks](#benchmarks)
- [Examples](#examples)
- [Middlewares](#middlewares)
- [Our adopters](#our-adopters)
## Supported models
1. [**ACL (Access Control List)**](https://en.wikipedia.org/wiki/Access_control_list)
2. **ACL with [superuser](https://en.wikipedia.org/wiki/Superuser)**
3. **ACL without users**: especially useful for systems that don't have authentication or user log-ins.
3. **ACL without resources**: some scenarios may target for a type of resources instead of an individual resource by using permissions like ``write-article``, ``read-log``. It doesn't control the access to a specific article or log.
4. **[RBAC (Role-Based Access Control)](https://en.wikipedia.org/wiki/Role-based_access_control)**
5. **RBAC with resource roles**: both users and resources can have roles (or groups) at the same time.
6. **RBAC with domains/tenants**: users can have different role sets for different domains/tenants.
7. **[ABAC (Attribute-Based Access Control)](https://en.wikipedia.org/wiki/Attribute-Based_Access_Control)**: syntax sugar like ``resource.Owner`` can be used to get the attribute for a resource.
8. **[RESTful](https://en.wikipedia.org/wiki/Representational_state_transfer)**: supports paths like ``/res/*``, ``/res/:id`` and HTTP methods like ``GET``, ``POST``, ``PUT``, ``DELETE``.
9. **Deny-override**: both allow and deny authorizations are supported, deny overrides the allow.
10. **Priority**: the policy rules can be prioritized like firewall rules.
## How it works?
In Casbin, an access control model is abstracted into a CONF file based on the **PERM metamodel (Policy, Effect, Request, Matchers)**. So switching or upgrading the authorization mechanism for a project is just as simple as modifying a configuration. You can customize your own access control model by combining the available models. For example, you can get RBAC roles and ABAC attributes together inside one model and share one set of policy rules.
The most basic and simplest model in Casbin is ACL. ACL's model CONF is:
```ini
# Request definition
[request_definition]
r = sub, obj, act
# Policy definition
[policy_definition]
p = sub, obj, act
# Policy effect
[policy_effect]
e = some(where (p.eft == allow))
# Matchers
[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act
```
An example policy for ACL model is like:
```
p, alice, data1, read
p, bob, data2, write
```
It means:
- alice can read data1
- bob can write data2
We also support multi-line mode by appending '\\' in the end:
```ini
# Matchers
[matchers]
m = r.sub == p.sub && r.obj == p.obj \
&& r.act == p.act
```
Further more, if you are using ABAC, you can try operator `in` like following in Casbin **golang** edition (jCasbin and Node-Casbin are not supported yet):
```ini
# Matchers
[matchers]
m = r.obj == p.obj && r.act == p.act || r.obj in ('data2', 'data3')
```
But you **SHOULD** make sure that the length of the array is **MORE** than **1**, otherwise there will cause it to panic.
For more operators, you may take a look at [govaluate](https://github.com/casbin/govaluate)
## Features
What Casbin does:
1. enforce the policy in the classic ``{subject, object, action}`` form or a customized form as you defined, both allow and deny authorizations are supported.
2. handle the storage of the access control model and its policy.
3. manage the role-user mappings and role-role mappings (aka role hierarchy in RBAC).
4. support built-in superuser like ``root`` or ``administrator``. A superuser can do anything without explicit permissions.
5. multiple built-in operators to support the rule matching. For example, ``keyMatch`` can map a resource key ``/foo/bar`` to the pattern ``/foo*``.
What Casbin does NOT do:
1. authentication (aka verify ``username`` and ``password`` when a user logs in)
2. manage the list of users or roles. I believe it's more convenient for the project itself to manage these entities. Users usually have their passwords, and Casbin is not designed as a password container. However, Casbin stores the user-role mapping for the RBAC scenario.
## Installation
```
go get github.com/casbin/casbin/v2
```
## Documentation
https://casbin.org/docs/overview
## Online editor
You can also use the online editor (https://casbin.org/editor/) to write your Casbin model and policy in your web browser. It provides functionality such as ``syntax highlighting`` and ``code completion``, just like an IDE for a programming language.
## Tutorials
https://casbin.org/docs/tutorials
## Get started
1. New a Casbin enforcer with a model file and a policy file:
```go
e, _ := casbin.NewEnforcer("path/to/model.conf", "path/to/policy.csv")
```
Note: you can also initialize an enforcer with policy in DB instead of file, see [Policy-persistence](#policy-persistence) section for details.
2. Add an enforcement hook into your code right before the access happens:
```go
sub := "alice" // the user that wants to access a resource.
obj := "data1" // the resource that is going to be accessed.
act := "read" // the operation that the user performs on the resource.
if res, _ := e.Enforce(sub, obj, act); res {
// permit alice to read data1
} else {
// deny the request, show an error
}
```
3. Besides the static policy file, Casbin also provides API for permission management at run-time. For example, You can get all the roles assigned to a user as below:
```go
roles, _ := e.GetImplicitRolesForUser(sub)
```
See [Policy management APIs](#policy-management) for more usage.
## Policy management
Casbin provides two sets of APIs to manage permissions:
- [Management API](https://casbin.org/docs/management-api): the primitive API that provides full support for Casbin policy management.
- [RBAC API](https://casbin.org/docs/rbac-api): a more friendly API for RBAC. This API is a subset of Management API. The RBAC users could use this API to simplify the code.
We also provide a [web-based UI](https://casbin.org/docs/admin-portal) for model management and policy management:
![model editor](https://hsluoyz.github.io/casbin/ui_model_editor.png)
![policy editor](https://hsluoyz.github.io/casbin/ui_policy_editor.png)
## Policy persistence
https://casbin.org/docs/adapters
## Policy consistence between multiple nodes
https://casbin.org/docs/watchers
## Role manager
https://casbin.org/docs/role-managers
## Benchmarks
https://casbin.org/docs/benchmark
## Examples
| Model | Model file | Policy file |
|---------------------------|----------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------|
| ACL | [basic_model.conf](https://github.com/casbin/casbin/blob/master/examples/basic_model.conf) | [basic_policy.csv](https://github.com/casbin/casbin/blob/master/examples/basic_policy.csv) |
| ACL with superuser | [basic_model_with_root.conf](https://github.com/casbin/casbin/blob/master/examples/basic_with_root_model.conf) | [basic_policy.csv](https://github.com/casbin/casbin/blob/master/examples/basic_policy.csv) |
| ACL without users | [basic_model_without_users.conf](https://github.com/casbin/casbin/blob/master/examples/basic_without_users_model.conf) | [basic_policy_without_users.csv](https://github.com/casbin/casbin/blob/master/examples/basic_without_users_policy.csv) |
| ACL without resources | [basic_model_without_resources.conf](https://github.com/casbin/casbin/blob/master/examples/basic_without_resources_model.conf) | [basic_policy_without_resources.csv](https://github.com/casbin/casbin/blob/master/examples/basic_without_resources_policy.csv) |
| RBAC | [rbac_model.conf](https://github.com/casbin/casbin/blob/master/examples/rbac_model.conf) | [rbac_policy.csv](https://github.com/casbin/casbin/blob/master/examples/rbac_policy.csv) |
| RBAC with resource roles | [rbac_model_with_resource_roles.conf](https://github.com/casbin/casbin/blob/master/examples/rbac_with_resource_roles_model.conf) | [rbac_policy_with_resource_roles.csv](https://github.com/casbin/casbin/blob/master/examples/rbac_with_resource_roles_policy.csv) |
| RBAC with domains/tenants | [rbac_model_with_domains.conf](https://github.com/casbin/casbin/blob/master/examples/rbac_with_domains_model.conf) | [rbac_policy_with_domains.csv](https://github.com/casbin/casbin/blob/master/examples/rbac_with_domains_policy.csv) |
| ABAC | [abac_model.conf](https://github.com/casbin/casbin/blob/master/examples/abac_model.conf) | N/A |
| RESTful | [keymatch_model.conf](https://github.com/casbin/casbin/blob/master/examples/keymatch_model.conf) | [keymatch_policy.csv](https://github.com/casbin/casbin/blob/master/examples/keymatch_policy.csv) |
| Deny-override | [rbac_model_with_deny.conf](https://github.com/casbin/casbin/blob/master/examples/rbac_with_deny_model.conf) | [rbac_policy_with_deny.csv](https://github.com/casbin/casbin/blob/master/examples/rbac_with_deny_policy.csv) |
| Priority | [priority_model.conf](https://github.com/casbin/casbin/blob/master/examples/priority_model.conf) | [priority_policy.csv](https://github.com/casbin/casbin/blob/master/examples/priority_policy.csv) |
## Middlewares
Authz middlewares for web frameworks: https://casbin.org/docs/middlewares
## Our adopters
https://casbin.org/docs/adopters
## How to Contribute
Please read the [contributing guide](CONTRIBUTING.md).
## Contributors
This project exists thanks to all the people who contribute.
<a href="https://github.com/casbin/casbin/graphs/contributors"><img src="https://opencollective.com/casbin/contributors.svg?width=890&button=false" /></a>
## Backers
Thank you to all our backers! 🙏 [[Become a backer](https://opencollective.com/casbin#backer)]
<a href="https://opencollective.com/casbin#backers" target="_blank"><img src="https://opencollective.com/casbin/backers.svg?width=890"></a>
## Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [[Become a sponsor](https://opencollective.com/casbin#sponsor)]
<a href="https://opencollective.com/casbin/sponsor/0/website" target="_blank"><img src="https://opencollective.com/casbin/sponsor/0/avatar.svg"></a>
<a href="https://opencollective.com/casbin/sponsor/1/website" target="_blank"><img src="https://opencollective.com/casbin/sponsor/1/avatar.svg"></a>
<a href="https://opencollective.com/casbin/sponsor/2/website" target="_blank"><img src="https://opencollective.com/casbin/sponsor/2/avatar.svg"></a>
<a href="https://opencollective.com/casbin/sponsor/3/website" target="_blank"><img src="https://opencollective.com/casbin/sponsor/3/avatar.svg"></a>
<a href="https://opencollective.com/casbin/sponsor/4/website" target="_blank"><img src="https://opencollective.com/casbin/sponsor/4/avatar.svg"></a>
<a href="https://opencollective.com/casbin/sponsor/5/website" target="_blank"><img src="https://opencollective.com/casbin/sponsor/5/avatar.svg"></a>
<a href="https://opencollective.com/casbin/sponsor/6/website" target="_blank"><img src="https://opencollective.com/casbin/sponsor/6/avatar.svg"></a>
<a href="https://opencollective.com/casbin/sponsor/7/website" target="_blank"><img src="https://opencollective.com/casbin/sponsor/7/avatar.svg"></a>
<a href="https://opencollective.com/casbin/sponsor/8/website" target="_blank"><img src="https://opencollective.com/casbin/sponsor/8/avatar.svg"></a>
<a href="https://opencollective.com/casbin/sponsor/9/website" target="_blank"><img src="https://opencollective.com/casbin/sponsor/9/avatar.svg"></a>
## Star History
[![Star History Chart](https://api.star-history.com/svg?repos=casbin/casbin&type=Date)](https://star-history.com/#casbin/casbin&Date)
## License
This project is licensed under the [Apache 2.0 license](LICENSE).
## Contact
If you have any issues or feature requests, please contact us. PR is welcomed.
- https://github.com/casbin/casbin/issues
- hsluoyz@gmail.com
- Tencent QQ group: [546057381](//shang.qq.com/wpa/qunwpa?idkey=8ac8b91fc97ace3d383d0035f7aa06f7d670fd8e8d4837347354a31c18fac885)

BIN
vendor/github.com/casbin/casbin/v2/casbin-logo.png generated vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 34 KiB

267
vendor/github.com/casbin/casbin/v2/config/config.go generated vendored
View File

@@ -1,267 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package config
import (
"bufio"
"bytes"
"errors"
"fmt"
"io"
"os"
"strconv"
"strings"
)
var (
// DEFAULT_SECTION specifies the name of a section if no name provided.
DEFAULT_SECTION = "default"
// DEFAULT_COMMENT defines what character(s) indicate a comment `#`.
DEFAULT_COMMENT = []byte{'#'}
// DEFAULT_COMMENT_SEM defines what alternate character(s) indicate a comment `;`.
DEFAULT_COMMENT_SEM = []byte{';'}
// DEFAULT_MULTI_LINE_SEPARATOR defines what character indicates a multi-line content.
DEFAULT_MULTI_LINE_SEPARATOR = []byte{'\\'}
)
// ConfigInterface defines the behavior of a Config implementation.
type ConfigInterface interface {
String(key string) string
Strings(key string) []string
Bool(key string) (bool, error)
Int(key string) (int, error)
Int64(key string) (int64, error)
Float64(key string) (float64, error)
Set(key string, value string) error
}
// Config represents an implementation of the ConfigInterface.
type Config struct {
// Section:key=value
data map[string]map[string]string
}
// NewConfig create an empty configuration representation from file.
func NewConfig(confName string) (ConfigInterface, error) {
c := &Config{
data: make(map[string]map[string]string),
}
err := c.parse(confName)
return c, err
}
// NewConfigFromText create an empty configuration representation from text.
func NewConfigFromText(text string) (ConfigInterface, error) {
c := &Config{
data: make(map[string]map[string]string),
}
err := c.parseBuffer(bufio.NewReader(strings.NewReader(text)))
return c, err
}
// AddConfig adds a new section->key:value to the configuration.
func (c *Config) AddConfig(section string, option string, value string) bool {
if section == "" {
section = DEFAULT_SECTION
}
if _, ok := c.data[section]; !ok {
c.data[section] = make(map[string]string)
}
_, ok := c.data[section][option]
c.data[section][option] = value
return !ok
}
func (c *Config) parse(fname string) (err error) {
f, err := os.Open(fname)
if err != nil {
return err
}
defer f.Close()
buf := bufio.NewReader(f)
return c.parseBuffer(buf)
}
func (c *Config) parseBuffer(buf *bufio.Reader) error {
var section string
var lineNum int
var buffer bytes.Buffer
var canWrite bool
for {
if canWrite {
if err := c.write(section, lineNum, &buffer); err != nil {
return err
} else {
canWrite = false
}
}
lineNum++
line, _, err := buf.ReadLine()
if err == io.EOF {
// force write when buffer is not flushed yet
if buffer.Len() > 0 {
if err = c.write(section, lineNum, &buffer); err != nil {
return err
}
}
break
} else if err != nil {
return err
}
line = bytes.TrimSpace(line)
switch {
case bytes.Equal(line, []byte{}), bytes.HasPrefix(line, DEFAULT_COMMENT_SEM),
bytes.HasPrefix(line, DEFAULT_COMMENT):
canWrite = true
continue
case bytes.HasPrefix(line, []byte{'['}) && bytes.HasSuffix(line, []byte{']'}):
// force write when buffer is not flushed yet
if buffer.Len() > 0 {
if err := c.write(section, lineNum, &buffer); err != nil {
return err
}
canWrite = false
}
section = string(line[1 : len(line)-1])
default:
var p []byte
if bytes.HasSuffix(line, DEFAULT_MULTI_LINE_SEPARATOR) {
p = bytes.TrimSpace(line[:len(line)-1])
p = append(p, " "...)
} else {
p = line
canWrite = true
}
end := len(p)
for i, value := range p {
if value == DEFAULT_COMMENT[0] || value == DEFAULT_COMMENT_SEM[0] {
end = i
break
}
}
if _, err := buffer.Write(p[:end]); err != nil {
return err
}
}
}
return nil
}
func (c *Config) write(section string, lineNum int, b *bytes.Buffer) error {
if b.Len() <= 0 {
return nil
}
optionVal := bytes.SplitN(b.Bytes(), []byte{'='}, 2)
if len(optionVal) != 2 {
return fmt.Errorf("parse the content error : line %d , %s = ? ", lineNum, optionVal[0])
}
option := bytes.TrimSpace(optionVal[0])
value := bytes.TrimSpace(optionVal[1])
c.AddConfig(section, string(option), string(value))
// flush buffer after adding
b.Reset()
return nil
}
// Bool lookups up the value using the provided key and converts the value to a bool.
func (c *Config) Bool(key string) (bool, error) {
return strconv.ParseBool(c.get(key))
}
// Int lookups up the value using the provided key and converts the value to a int.
func (c *Config) Int(key string) (int, error) {
return strconv.Atoi(c.get(key))
}
// Int64 lookups up the value using the provided key and converts the value to a int64.
func (c *Config) Int64(key string) (int64, error) {
return strconv.ParseInt(c.get(key), 10, 64)
}
// Float64 lookups up the value using the provided key and converts the value to a float64.
func (c *Config) Float64(key string) (float64, error) {
return strconv.ParseFloat(c.get(key), 64)
}
// String lookups up the value using the provided key and converts the value to a string.
func (c *Config) String(key string) string {
return c.get(key)
}
// Strings lookups up the value using the provided key and converts the value to an array of string
// by splitting the string by comma.
func (c *Config) Strings(key string) []string {
v := c.get(key)
if v == "" {
return nil
}
return strings.Split(v, ",")
}
// Set sets the value for the specific key in the Config.
func (c *Config) Set(key string, value string) error {
if len(key) == 0 {
return errors.New("key is empty")
}
var (
section string
option string
)
keys := strings.Split(strings.ToLower(key), "::")
if len(keys) >= 2 {
section = keys[0]
option = keys[1]
} else {
option = keys[0]
}
c.AddConfig(section, option, value)
return nil
}
// section.key or key.
func (c *Config) get(key string) string {
var (
section string
option string
)
keys := strings.Split(strings.ToLower(key), "::")
if len(keys) >= 2 {
section = keys[0]
option = keys[1]
} else {
section = DEFAULT_SECTION
option = keys[0]
}
if value, ok := c.data[section][option]; ok {
return value
}
return ""
}

31
vendor/github.com/casbin/casbin/v2/constant/constants.go generated vendored
View File

@@ -1,31 +0,0 @@
// Copyright 2022 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package constant
const (
ActionIndex = "act"
DomainIndex = "dom"
SubjectIndex = "sub"
ObjectIndex = "obj"
PriorityIndex = "priority"
)
const (
AllowOverrideEffect = "some(where (p_eft == allow))"
DenyOverrideEffect = "!some(where (p_eft == deny))"
AllowAndDenyEffect = "some(where (p_eft == allow)) && !some(where (p_eft == deny))"
PriorityEffect = "priority(p_eft) || deny"
SubjectPriorityEffect = "subjectPriority(p_eft) || deny"
)

109
vendor/github.com/casbin/casbin/v2/effector/default_effector.go generated vendored
View File

@@ -1,109 +0,0 @@
// Copyright 2018 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package effector
import (
"errors"
"github.com/casbin/casbin/v2/constant"
)
// DefaultEffector is default effector for Casbin.
type DefaultEffector struct {
}
// NewDefaultEffector is the constructor for DefaultEffector.
func NewDefaultEffector() *DefaultEffector {
e := DefaultEffector{}
return &e
}
// MergeEffects merges all matching results collected by the enforcer into a single decision.
func (e *DefaultEffector) MergeEffects(expr string, effects []Effect, matches []float64, policyIndex int, policyLength int) (Effect, int, error) {
result := Indeterminate
explainIndex := -1
switch expr {
case constant.AllowOverrideEffect:
if matches[policyIndex] == 0 {
break
}
// only check the current policyIndex
if effects[policyIndex] == Allow {
result = Allow
explainIndex = policyIndex
break
}
case constant.DenyOverrideEffect:
// only check the current policyIndex
if matches[policyIndex] != 0 && effects[policyIndex] == Deny {
result = Deny
explainIndex = policyIndex
break
}
// if no deny rules are matched at last, then allow
if policyIndex == policyLength-1 {
result = Allow
}
case constant.AllowAndDenyEffect:
// short-circuit if matched deny rule
if matches[policyIndex] != 0 && effects[policyIndex] == Deny {
result = Deny
// set hit rule to the (first) matched deny rule
explainIndex = policyIndex
break
}
// short-circuit some effects in the middle
if policyIndex < policyLength-1 {
// choose not to short-circuit
return result, explainIndex, nil
}
// merge all effects at last
for i, eft := range effects {
if matches[i] == 0 {
continue
}
if eft == Allow {
result = Allow
// set hit rule to first matched allow rule
explainIndex = i
break
}
}
case constant.PriorityEffect, constant.SubjectPriorityEffect:
// reverse merge, short-circuit may be earlier
for i := len(effects) - 1; i >= 0; i-- {
if matches[i] == 0 {
continue
}
if effects[i] != Indeterminate {
if effects[i] == Allow {
result = Allow
} else {
result = Deny
}
explainIndex = i
break
}
}
default:
return Deny, -1, errors.New("unsupported effect")
}
return result, explainIndex, nil
}

31
vendor/github.com/casbin/casbin/v2/effector/effector.go generated vendored
View File

@@ -1,31 +0,0 @@
// Copyright 2018 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package effector //nolint:cyclop // TODO
// Effect is the result for a policy rule.
type Effect int
// Values for policy effect.
const (
Allow Effect = iota
Indeterminate
Deny
)
// Effector is the interface for Casbin effectors.
type Effector interface {
// MergeEffects merges all matching results collected by the enforcer into a single decision.
MergeEffects(expr string, effects []Effect, matches []float64, policyIndex int, policyLength int) (Effect, int, error)
}

1004
vendor/github.com/casbin/casbin/v2/enforcer.go generated vendored
View File

File diff suppressed because it is too large Load Diff

185
vendor/github.com/casbin/casbin/v2/enforcer_cached.go generated vendored
View File

@@ -1,185 +0,0 @@
// Copyright 2018 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package casbin
import (
"strings"
"sync"
"sync/atomic"
"time"
"github.com/casbin/casbin/v2/persist/cache"
)
// CachedEnforcer wraps Enforcer and provides decision cache.
type CachedEnforcer struct {
*Enforcer
expireTime time.Duration
cache cache.Cache
enableCache int32
locker *sync.RWMutex
}
type CacheableParam interface {
GetCacheKey() string
}
// NewCachedEnforcer creates a cached enforcer via file or DB.
func NewCachedEnforcer(params ...interface{}) (*CachedEnforcer, error) {
e := &CachedEnforcer{}
var err error
e.Enforcer, err = NewEnforcer(params...)
if err != nil {
return nil, err
}
e.enableCache = 1
e.cache, _ = cache.NewDefaultCache()
e.locker = new(sync.RWMutex)
return e, nil
}
// EnableCache determines whether to enable cache on Enforce(). When enableCache is enabled, cached result (true | false) will be returned for previous decisions.
func (e *CachedEnforcer) EnableCache(enableCache bool) {
var enabled int32
if enableCache {
enabled = 1
}
atomic.StoreInt32(&e.enableCache, enabled)
}
// Enforce decides whether a "subject" can access a "object" with the operation "action", input parameters are usually: (sub, obj, act).
// if rvals is not string , ignore the cache.
func (e *CachedEnforcer) Enforce(rvals ...interface{}) (bool, error) {
if atomic.LoadInt32(&e.enableCache) == 0 {
return e.Enforcer.Enforce(rvals...)
}
key, ok := e.getKey(rvals...)
if !ok {
return e.Enforcer.Enforce(rvals...)
}
if res, err := e.getCachedResult(key); err == nil {
return res, nil
} else if err != cache.ErrNoSuchKey {
return res, err
}
res, err := e.Enforcer.Enforce(rvals...)
if err != nil {
return false, err
}
err = e.setCachedResult(key, res, e.expireTime)
return res, err
}
func (e *CachedEnforcer) LoadPolicy() error {
if atomic.LoadInt32(&e.enableCache) != 0 {
if err := e.cache.Clear(); err != nil {
return err
}
}
return e.Enforcer.LoadPolicy()
}
func (e *CachedEnforcer) RemovePolicy(params ...interface{}) (bool, error) {
if atomic.LoadInt32(&e.enableCache) != 0 {
key, ok := e.getKey(params...)
if ok {
if err := e.cache.Delete(key); err != nil && err != cache.ErrNoSuchKey {
return false, err
}
}
}
return e.Enforcer.RemovePolicy(params...)
}
func (e *CachedEnforcer) RemovePolicies(rules [][]string) (bool, error) {
if len(rules) != 0 {
if atomic.LoadInt32(&e.enableCache) != 0 {
irule := make([]interface{}, len(rules[0]))
for _, rule := range rules {
for i, param := range rule {
irule[i] = param
}
key, _ := e.getKey(irule...)
if err := e.cache.Delete(key); err != nil && err != cache.ErrNoSuchKey {
return false, err
}
}
}
}
return e.Enforcer.RemovePolicies(rules)
}
func (e *CachedEnforcer) getCachedResult(key string) (res bool, err error) {
e.locker.Lock()
defer e.locker.Unlock()
return e.cache.Get(key)
}
func (e *CachedEnforcer) SetExpireTime(expireTime time.Duration) {
e.expireTime = expireTime
}
func (e *CachedEnforcer) SetCache(c cache.Cache) {
e.cache = c
}
func (e *CachedEnforcer) setCachedResult(key string, res bool, extra ...interface{}) error {
e.locker.Lock()
defer e.locker.Unlock()
return e.cache.Set(key, res, extra...)
}
func (e *CachedEnforcer) getKey(params ...interface{}) (string, bool) {
return GetCacheKey(params...)
}
// InvalidateCache deletes all the existing cached decisions.
func (e *CachedEnforcer) InvalidateCache() error {
e.locker.Lock()
defer e.locker.Unlock()
return e.cache.Clear()
}
func GetCacheKey(params ...interface{}) (string, bool) {
key := strings.Builder{}
for _, param := range params {
switch typedParam := param.(type) {
case string:
key.WriteString(typedParam)
case CacheableParam:
key.WriteString(typedParam.GetCacheKey())
default:
return "", false
}
key.WriteString("$$")
}
return key.String(), true
}
// ClearPolicy clears all policy.
func (e *CachedEnforcer) ClearPolicy() {
if atomic.LoadInt32(&e.enableCache) != 0 {
if err := e.cache.Clear(); err != nil {
e.logger.LogError(err, "clear cache failed")
return
}
}
e.Enforcer.ClearPolicy()
}

180
vendor/github.com/casbin/casbin/v2/enforcer_cached_synced.go generated vendored
View File

@@ -1,180 +0,0 @@
// Copyright 2018 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package casbin
import (
"sync"
"sync/atomic"
"time"
"github.com/casbin/casbin/v2/persist/cache"
)
// SyncedCachedEnforcer wraps Enforcer and provides decision sync cache.
type SyncedCachedEnforcer struct {
*SyncedEnforcer
expireTime time.Duration
cache cache.Cache
enableCache int32
locker *sync.RWMutex
}
// NewSyncedCachedEnforcer creates a sync cached enforcer via file or DB.
func NewSyncedCachedEnforcer(params ...interface{}) (*SyncedCachedEnforcer, error) {
e := &SyncedCachedEnforcer{}
var err error
e.SyncedEnforcer, err = NewSyncedEnforcer(params...)
if err != nil {
return nil, err
}
e.enableCache = 1
e.cache, _ = cache.NewSyncCache()
e.locker = new(sync.RWMutex)
return e, nil
}
// EnableCache determines whether to enable cache on Enforce(). When enableCache is enabled, cached result (true | false) will be returned for previous decisions.
func (e *SyncedCachedEnforcer) EnableCache(enableCache bool) {
var enabled int32
if enableCache {
enabled = 1
}
atomic.StoreInt32(&e.enableCache, enabled)
}
// Enforce decides whether a "subject" can access a "object" with the operation "action", input parameters are usually: (sub, obj, act).
// if rvals is not string , ignore the cache.
func (e *SyncedCachedEnforcer) Enforce(rvals ...interface{}) (bool, error) {
if atomic.LoadInt32(&e.enableCache) == 0 {
return e.SyncedEnforcer.Enforce(rvals...)
}
key, ok := e.getKey(rvals...)
if !ok {
return e.SyncedEnforcer.Enforce(rvals...)
}
if res, err := e.getCachedResult(key); err == nil {
return res, nil
} else if err != cache.ErrNoSuchKey {
return res, err
}
res, err := e.SyncedEnforcer.Enforce(rvals...)
if err != nil {
return false, err
}
err = e.setCachedResult(key, res, e.expireTime)
return res, err
}
func (e *SyncedCachedEnforcer) LoadPolicy() error {
if atomic.LoadInt32(&e.enableCache) != 0 {
if err := e.cache.Clear(); err != nil {
return err
}
}
return e.SyncedEnforcer.LoadPolicy()
}
func (e *SyncedCachedEnforcer) AddPolicy(params ...interface{}) (bool, error) {
if ok, err := e.checkOneAndRemoveCache(params...); !ok {
return ok, err
}
return e.SyncedEnforcer.AddPolicy(params...)
}
func (e *SyncedCachedEnforcer) AddPolicies(rules [][]string) (bool, error) {
if ok, err := e.checkManyAndRemoveCache(rules); !ok {
return ok, err
}
return e.SyncedEnforcer.AddPolicies(rules)
}
func (e *SyncedCachedEnforcer) RemovePolicy(params ...interface{}) (bool, error) {
if ok, err := e.checkOneAndRemoveCache(params...); !ok {
return ok, err
}
return e.SyncedEnforcer.RemovePolicy(params...)
}
func (e *SyncedCachedEnforcer) RemovePolicies(rules [][]string) (bool, error) {
if ok, err := e.checkManyAndRemoveCache(rules); !ok {
return ok, err
}
return e.SyncedEnforcer.RemovePolicies(rules)
}
func (e *SyncedCachedEnforcer) getCachedResult(key string) (res bool, err error) {
return e.cache.Get(key)
}
func (e *SyncedCachedEnforcer) SetExpireTime(expireTime time.Duration) {
e.locker.Lock()
defer e.locker.Unlock()
e.expireTime = expireTime
}
// SetCache need to be sync cache.
func (e *SyncedCachedEnforcer) SetCache(c cache.Cache) {
e.locker.Lock()
defer e.locker.Unlock()
e.cache = c
}
func (e *SyncedCachedEnforcer) setCachedResult(key string, res bool, extra ...interface{}) error {
return e.cache.Set(key, res, extra...)
}
func (e *SyncedCachedEnforcer) getKey(params ...interface{}) (string, bool) {
return GetCacheKey(params...)
}
// InvalidateCache deletes all the existing cached decisions.
func (e *SyncedCachedEnforcer) InvalidateCache() error {
return e.cache.Clear()
}
func (e *SyncedCachedEnforcer) checkOneAndRemoveCache(params ...interface{}) (bool, error) {
if atomic.LoadInt32(&e.enableCache) != 0 {
key, ok := e.getKey(params...)
if ok {
if err := e.cache.Delete(key); err != nil && err != cache.ErrNoSuchKey {
return false, err
}
}
}
return true, nil
}
func (e *SyncedCachedEnforcer) checkManyAndRemoveCache(rules [][]string) (bool, error) {
if len(rules) != 0 {
if atomic.LoadInt32(&e.enableCache) != 0 {
irule := make([]interface{}, len(rules[0]))
for _, rule := range rules {
for i, param := range rule {
irule[i] = param
}
key, _ := e.getKey(irule...)
if err := e.cache.Delete(key); err != nil && err != cache.ErrNoSuchKey {
return false, err
}
}
}
}
return true, nil
}

239
vendor/github.com/casbin/casbin/v2/enforcer_distributed.go generated vendored
View File

@@ -1,239 +0,0 @@
package casbin
import (
"github.com/casbin/casbin/v2/model"
"github.com/casbin/casbin/v2/persist"
)
// DistributedEnforcer wraps SyncedEnforcer for dispatcher.
type DistributedEnforcer struct {
*SyncedEnforcer
}
func NewDistributedEnforcer(params ...interface{}) (*DistributedEnforcer, error) {
e := &DistributedEnforcer{}
var err error
e.SyncedEnforcer, err = NewSyncedEnforcer(params...)
if err != nil {
return nil, err
}
return e, nil
}
// SetDispatcher sets the current dispatcher.
func (d *DistributedEnforcer) SetDispatcher(dispatcher persist.Dispatcher) {
d.dispatcher = dispatcher
}
// AddPoliciesSelf provides a method for dispatcher to add authorization rules to the current policy.
// The function returns the rules affected and error.
func (d *DistributedEnforcer) AddPoliciesSelf(shouldPersist func() bool, sec string, ptype string, rules [][]string) (affected [][]string, err error) {
d.m.Lock()
defer d.m.Unlock()
if shouldPersist != nil && shouldPersist() {
var noExistsPolicy [][]string
for _, rule := range rules {
var hasPolicy bool
hasPolicy, err = d.model.HasPolicy(sec, ptype, rule)
if err != nil {
return nil, err
}
if !hasPolicy {
noExistsPolicy = append(noExistsPolicy, rule)
}
}
if err = d.adapter.(persist.BatchAdapter).AddPolicies(sec, ptype, noExistsPolicy); err != nil && err.Error() != notImplemented {
return nil, err
}
}
affected, err = d.model.AddPoliciesWithAffected(sec, ptype, rules)
if err != nil {
return affected, err
}
if sec == "g" {
err := d.BuildIncrementalRoleLinks(model.PolicyAdd, ptype, affected)
if err != nil {
return affected, err
}
}
return affected, nil
}
// RemovePoliciesSelf provides a method for dispatcher to remove a set of rules from current policy.
// The function returns the rules affected and error.
func (d *DistributedEnforcer) RemovePoliciesSelf(shouldPersist func() bool, sec string, ptype string, rules [][]string) (affected [][]string, err error) {
d.m.Lock()
defer d.m.Unlock()
if shouldPersist != nil && shouldPersist() {
if err = d.adapter.(persist.BatchAdapter).RemovePolicies(sec, ptype, rules); err != nil {
if err.Error() != notImplemented {
return nil, err
}
}
}
affected, err = d.model.RemovePoliciesWithAffected(sec, ptype, rules)
if err != nil {
return affected, err
}
if sec == "g" {
err = d.BuildIncrementalRoleLinks(model.PolicyRemove, ptype, affected)
if err != nil {
return affected, err
}
}
return affected, err
}
// RemoveFilteredPolicySelf provides a method for dispatcher to remove an authorization rule from the current policy, field filters can be specified.
// The function returns the rules affected and error.
func (d *DistributedEnforcer) RemoveFilteredPolicySelf(shouldPersist func() bool, sec string, ptype string, fieldIndex int, fieldValues ...string) (affected [][]string, err error) {
d.m.Lock()
defer d.m.Unlock()
if shouldPersist != nil && shouldPersist() {
if err = d.adapter.RemoveFilteredPolicy(sec, ptype, fieldIndex, fieldValues...); err != nil {
if err.Error() != notImplemented {
return nil, err
}
}
}
_, affected, err = d.model.RemoveFilteredPolicy(sec, ptype, fieldIndex, fieldValues...)
if err != nil {
return affected, err
}
if sec == "g" {
err := d.BuildIncrementalRoleLinks(model.PolicyRemove, ptype, affected)
if err != nil {
return affected, err
}
}
return affected, nil
}
// ClearPolicySelf provides a method for dispatcher to clear all rules from the current policy.
func (d *DistributedEnforcer) ClearPolicySelf(shouldPersist func() bool) error {
d.m.Lock()
defer d.m.Unlock()
if shouldPersist != nil && shouldPersist() {
err := d.adapter.SavePolicy(nil)
if err != nil {
return err
}
}
d.model.ClearPolicy()
return nil
}
// UpdatePolicySelf provides a method for dispatcher to update an authorization rule from the current policy.
func (d *DistributedEnforcer) UpdatePolicySelf(shouldPersist func() bool, sec string, ptype string, oldRule, newRule []string) (affected bool, err error) {
d.m.Lock()
defer d.m.Unlock()
if shouldPersist != nil && shouldPersist() {
err = d.adapter.(persist.UpdatableAdapter).UpdatePolicy(sec, ptype, oldRule, newRule)
if err != nil {
return false, err
}
}
ruleUpdated, err := d.model.UpdatePolicy(sec, ptype, oldRule, newRule)
if !ruleUpdated || err != nil {
return ruleUpdated, err
}
if sec == "g" {
err := d.BuildIncrementalRoleLinks(model.PolicyRemove, ptype, [][]string{oldRule}) // remove the old rule
if err != nil {
return ruleUpdated, err
}
err = d.BuildIncrementalRoleLinks(model.PolicyAdd, ptype, [][]string{newRule}) // add the new rule
if err != nil {
return ruleUpdated, err
}
}
return ruleUpdated, nil
}
// UpdatePoliciesSelf provides a method for dispatcher to update a set of authorization rules from the current policy.
func (d *DistributedEnforcer) UpdatePoliciesSelf(shouldPersist func() bool, sec string, ptype string, oldRules, newRules [][]string) (affected bool, err error) {
d.m.Lock()
defer d.m.Unlock()
if shouldPersist != nil && shouldPersist() {
err = d.adapter.(persist.UpdatableAdapter).UpdatePolicies(sec, ptype, oldRules, newRules)
if err != nil {
return false, err
}
}
ruleUpdated, err := d.model.UpdatePolicies(sec, ptype, oldRules, newRules)
if !ruleUpdated || err != nil {
return ruleUpdated, err
}
if sec == "g" {
err := d.BuildIncrementalRoleLinks(model.PolicyRemove, ptype, oldRules) // remove the old rule
if err != nil {
return ruleUpdated, err
}
err = d.BuildIncrementalRoleLinks(model.PolicyAdd, ptype, newRules) // add the new rule
if err != nil {
return ruleUpdated, err
}
}
return ruleUpdated, nil
}
// UpdateFilteredPoliciesSelf provides a method for dispatcher to update a set of authorization rules from the current policy.
func (d *DistributedEnforcer) UpdateFilteredPoliciesSelf(shouldPersist func() bool, sec string, ptype string, newRules [][]string, fieldIndex int, fieldValues ...string) (bool, error) {
d.m.Lock()
defer d.m.Unlock()
var (
oldRules [][]string
err error
)
if shouldPersist != nil && shouldPersist() {
oldRules, err = d.adapter.(persist.UpdatableAdapter).UpdateFilteredPolicies(sec, ptype, newRules, fieldIndex, fieldValues...)
if err != nil {
return false, err
}
}
ruleChanged, err := d.model.RemovePolicies(sec, ptype, oldRules)
if err != nil {
return ruleChanged, err
}
err = d.model.AddPolicies(sec, ptype, newRules)
if err != nil {
return ruleChanged, err
}
ruleChanged = ruleChanged && len(newRules) != 0
if !ruleChanged {
return ruleChanged, nil
}
if sec == "g" {
err := d.BuildIncrementalRoleLinks(model.PolicyRemove, ptype, oldRules) // remove the old rule
if err != nil {
return ruleChanged, err
}
err = d.BuildIncrementalRoleLinks(model.PolicyAdd, ptype, newRules) // add the new rule
if err != nil {
return ruleChanged, err
}
}
return true, nil
}

177
vendor/github.com/casbin/casbin/v2/enforcer_interface.go generated vendored
View File

@@ -1,177 +0,0 @@
// Copyright 2019 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package casbin
import (
"github.com/casbin/casbin/v2/effector"
"github.com/casbin/casbin/v2/model"
"github.com/casbin/casbin/v2/persist"
"github.com/casbin/casbin/v2/rbac"
"github.com/casbin/govaluate"
)
var _ IEnforcer = &Enforcer{}
var _ IEnforcer = &SyncedEnforcer{}
var _ IEnforcer = &CachedEnforcer{}
// IEnforcer is the API interface of Enforcer.
type IEnforcer interface {
/* Enforcer API */
InitWithFile(modelPath string, policyPath string) error
InitWithAdapter(modelPath string, adapter persist.Adapter) error
InitWithModelAndAdapter(m model.Model, adapter persist.Adapter) error
LoadModel() error
GetModel() model.Model
SetModel(m model.Model)
GetAdapter() persist.Adapter
SetAdapter(adapter persist.Adapter)
SetWatcher(watcher persist.Watcher) error
GetRoleManager() rbac.RoleManager
SetRoleManager(rm rbac.RoleManager)
SetEffector(eft effector.Effector)
ClearPolicy()
LoadPolicy() error
LoadFilteredPolicy(filter interface{}) error
LoadIncrementalFilteredPolicy(filter interface{}) error
IsFiltered() bool
SavePolicy() error
EnableEnforce(enable bool)
EnableLog(enable bool)
EnableAutoNotifyWatcher(enable bool)
EnableAutoSave(autoSave bool)
EnableAutoBuildRoleLinks(autoBuildRoleLinks bool)
BuildRoleLinks() error
Enforce(rvals ...interface{}) (bool, error)
EnforceWithMatcher(matcher string, rvals ...interface{}) (bool, error)
EnforceEx(rvals ...interface{}) (bool, []string, error)
EnforceExWithMatcher(matcher string, rvals ...interface{}) (bool, []string, error)
BatchEnforce(requests [][]interface{}) ([]bool, error)
BatchEnforceWithMatcher(matcher string, requests [][]interface{}) ([]bool, error)
/* RBAC API */
GetRolesForUser(name string, domain ...string) ([]string, error)
GetUsersForRole(name string, domain ...string) ([]string, error)
HasRoleForUser(name string, role string, domain ...string) (bool, error)
AddRoleForUser(user string, role string, domain ...string) (bool, error)
AddPermissionForUser(user string, permission ...string) (bool, error)
AddPermissionsForUser(user string, permissions ...[]string) (bool, error)
DeletePermissionForUser(user string, permission ...string) (bool, error)
DeletePermissionsForUser(user string) (bool, error)
GetPermissionsForUser(user string, domain ...string) ([][]string, error)
HasPermissionForUser(user string, permission ...string) (bool, error)
GetImplicitRolesForUser(name string, domain ...string) ([]string, error)
GetImplicitPermissionsForUser(user string, domain ...string) ([][]string, error)
GetImplicitUsersForPermission(permission ...string) ([]string, error)
DeleteRoleForUser(user string, role string, domain ...string) (bool, error)
DeleteRolesForUser(user string, domain ...string) (bool, error)
DeleteUser(user string) (bool, error)
DeleteRole(role string) (bool, error)
DeletePermission(permission ...string) (bool, error)
/* RBAC API with domains*/
GetUsersForRoleInDomain(name string, domain string) []string
GetRolesForUserInDomain(name string, domain string) []string
GetPermissionsForUserInDomain(user string, domain string) [][]string
AddRoleForUserInDomain(user string, role string, domain string) (bool, error)
DeleteRoleForUserInDomain(user string, role string, domain string) (bool, error)
GetAllUsersByDomain(domain string) ([]string, error)
DeleteRolesForUserInDomain(user string, domain string) (bool, error)
DeleteAllUsersByDomain(domain string) (bool, error)
DeleteDomains(domains ...string) (bool, error)
GetAllDomains() ([]string, error)
GetAllRolesByDomain(domain string) ([]string, error)
/* Management API */
GetAllSubjects() ([]string, error)
GetAllNamedSubjects(ptype string) ([]string, error)
GetAllObjects() ([]string, error)
GetAllNamedObjects(ptype string) ([]string, error)
GetAllActions() ([]string, error)
GetAllNamedActions(ptype string) ([]string, error)
GetAllRoles() ([]string, error)
GetAllNamedRoles(ptype string) ([]string, error)
GetPolicy() ([][]string, error)
GetFilteredPolicy(fieldIndex int, fieldValues ...string) ([][]string, error)
GetNamedPolicy(ptype string) ([][]string, error)
GetFilteredNamedPolicy(ptype string, fieldIndex int, fieldValues ...string) ([][]string, error)
GetGroupingPolicy() ([][]string, error)
GetFilteredGroupingPolicy(fieldIndex int, fieldValues ...string) ([][]string, error)
GetNamedGroupingPolicy(ptype string) ([][]string, error)
GetFilteredNamedGroupingPolicy(ptype string, fieldIndex int, fieldValues ...string) ([][]string, error)
HasPolicy(params ...interface{}) (bool, error)
HasNamedPolicy(ptype string, params ...interface{}) (bool, error)
AddPolicy(params ...interface{}) (bool, error)
AddPolicies(rules [][]string) (bool, error)
AddNamedPolicy(ptype string, params ...interface{}) (bool, error)
AddNamedPolicies(ptype string, rules [][]string) (bool, error)
AddPoliciesEx(rules [][]string) (bool, error)
AddNamedPoliciesEx(ptype string, rules [][]string) (bool, error)
RemovePolicy(params ...interface{}) (bool, error)
RemovePolicies(rules [][]string) (bool, error)
RemoveFilteredPolicy(fieldIndex int, fieldValues ...string) (bool, error)
RemoveNamedPolicy(ptype string, params ...interface{}) (bool, error)
RemoveNamedPolicies(ptype string, rules [][]string) (bool, error)
RemoveFilteredNamedPolicy(ptype string, fieldIndex int, fieldValues ...string) (bool, error)
HasGroupingPolicy(params ...interface{}) (bool, error)
HasNamedGroupingPolicy(ptype string, params ...interface{}) (bool, error)
AddGroupingPolicy(params ...interface{}) (bool, error)
AddGroupingPolicies(rules [][]string) (bool, error)
AddGroupingPoliciesEx(rules [][]string) (bool, error)
AddNamedGroupingPolicy(ptype string, params ...interface{}) (bool, error)
AddNamedGroupingPolicies(ptype string, rules [][]string) (bool, error)
AddNamedGroupingPoliciesEx(ptype string, rules [][]string) (bool, error)
RemoveGroupingPolicy(params ...interface{}) (bool, error)
RemoveGroupingPolicies(rules [][]string) (bool, error)
RemoveFilteredGroupingPolicy(fieldIndex int, fieldValues ...string) (bool, error)
RemoveNamedGroupingPolicy(ptype string, params ...interface{}) (bool, error)
RemoveNamedGroupingPolicies(ptype string, rules [][]string) (bool, error)
RemoveFilteredNamedGroupingPolicy(ptype string, fieldIndex int, fieldValues ...string) (bool, error)
AddFunction(name string, function govaluate.ExpressionFunction)
UpdatePolicy(oldPolicy []string, newPolicy []string) (bool, error)
UpdatePolicies(oldPolicies [][]string, newPolicies [][]string) (bool, error)
UpdateFilteredPolicies(newPolicies [][]string, fieldIndex int, fieldValues ...string) (bool, error)
UpdateGroupingPolicy(oldRule []string, newRule []string) (bool, error)
UpdateGroupingPolicies(oldRules [][]string, newRules [][]string) (bool, error)
UpdateNamedGroupingPolicy(ptype string, oldRule []string, newRule []string) (bool, error)
UpdateNamedGroupingPolicies(ptype string, oldRules [][]string, newRules [][]string) (bool, error)
/* Management API with autoNotifyWatcher disabled */
SelfAddPolicy(sec string, ptype string, rule []string) (bool, error)
SelfAddPolicies(sec string, ptype string, rules [][]string) (bool, error)
SelfAddPoliciesEx(sec string, ptype string, rules [][]string) (bool, error)
SelfRemovePolicy(sec string, ptype string, rule []string) (bool, error)
SelfRemovePolicies(sec string, ptype string, rules [][]string) (bool, error)
SelfRemoveFilteredPolicy(sec string, ptype string, fieldIndex int, fieldValues ...string) (bool, error)
SelfUpdatePolicy(sec string, ptype string, oldRule, newRule []string) (bool, error)
SelfUpdatePolicies(sec string, ptype string, oldRules, newRules [][]string) (bool, error)
}
var _ IDistributedEnforcer = &DistributedEnforcer{}
// IDistributedEnforcer defines dispatcher enforcer.
type IDistributedEnforcer interface {
IEnforcer
SetDispatcher(dispatcher persist.Dispatcher)
/* Management API for DistributedEnforcer*/
AddPoliciesSelf(shouldPersist func() bool, sec string, ptype string, rules [][]string) (affected [][]string, err error)
RemovePoliciesSelf(shouldPersist func() bool, sec string, ptype string, rules [][]string) (affected [][]string, err error)
RemoveFilteredPolicySelf(shouldPersist func() bool, sec string, ptype string, fieldIndex int, fieldValues ...string) (affected [][]string, err error)
ClearPolicySelf(shouldPersist func() bool) error
UpdatePolicySelf(shouldPersist func() bool, sec string, ptype string, oldRule, newRule []string) (affected bool, err error)
UpdatePoliciesSelf(shouldPersist func() bool, sec string, ptype string, oldRules, newRules [][]string) (affected bool, err error)
UpdateFilteredPoliciesSelf(shouldPersist func() bool, sec string, ptype string, newRules [][]string, fieldIndex int, fieldValues ...string) (bool, error)
}

650
vendor/github.com/casbin/casbin/v2/enforcer_synced.go generated vendored
View File

@@ -1,650 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package casbin
import (
"sync"
"sync/atomic"
"time"
"github.com/casbin/govaluate"
"github.com/casbin/casbin/v2/persist"
)
// SyncedEnforcer wraps Enforcer and provides synchronized access.
type SyncedEnforcer struct {
*Enforcer
m sync.RWMutex
stopAutoLoad chan struct{}
autoLoadRunning int32
}
// NewSyncedEnforcer creates a synchronized enforcer via file or DB.
func NewSyncedEnforcer(params ...interface{}) (*SyncedEnforcer, error) {
e := &SyncedEnforcer{}
var err error
e.Enforcer, err = NewEnforcer(params...)
if err != nil {
return nil, err
}
e.stopAutoLoad = make(chan struct{}, 1)
e.autoLoadRunning = 0
return e, nil
}
// GetLock return the private RWMutex lock.
func (e *SyncedEnforcer) GetLock() *sync.RWMutex {
return &e.m
}
// IsAutoLoadingRunning check if SyncedEnforcer is auto loading policies.
func (e *SyncedEnforcer) IsAutoLoadingRunning() bool {
return atomic.LoadInt32(&(e.autoLoadRunning)) != 0
}
// StartAutoLoadPolicy starts a go routine that will every specified duration call LoadPolicy.
func (e *SyncedEnforcer) StartAutoLoadPolicy(d time.Duration) {
// Don't start another goroutine if there is already one running
if !atomic.CompareAndSwapInt32(&e.autoLoadRunning, 0, 1) {
return
}
ticker := time.NewTicker(d)
go func() {
defer func() {
ticker.Stop()
atomic.StoreInt32(&(e.autoLoadRunning), int32(0))
}()
n := 1
for {
select {
case <-ticker.C:
// error intentionally ignored
_ = e.LoadPolicy()
// Uncomment this line to see when the policy is loaded.
// log.Print("Load policy for time: ", n)
n++
case <-e.stopAutoLoad:
return
}
}
}()
}
// StopAutoLoadPolicy causes the go routine to exit.
func (e *SyncedEnforcer) StopAutoLoadPolicy() {
if e.IsAutoLoadingRunning() {
e.stopAutoLoad <- struct{}{}
}
}
// SetWatcher sets the current watcher.
func (e *SyncedEnforcer) SetWatcher(watcher persist.Watcher) error {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.SetWatcher(watcher)
}
// LoadModel reloads the model from the model CONF file.
func (e *SyncedEnforcer) LoadModel() error {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.LoadModel()
}
// ClearPolicy clears all policy.
func (e *SyncedEnforcer) ClearPolicy() {
e.m.Lock()
defer e.m.Unlock()
e.Enforcer.ClearPolicy()
}
// LoadPolicy reloads the policy from file/database.
func (e *SyncedEnforcer) LoadPolicy() error {
e.m.RLock()
newModel, err := e.loadPolicyFromAdapter(e.model)
e.m.RUnlock()
if err != nil {
return err
}
e.m.Lock()
err = e.applyModifiedModel(newModel)
e.m.Unlock()
if err != nil {
return err
}
return nil
}
// LoadFilteredPolicy reloads a filtered policy from file/database.
func (e *SyncedEnforcer) LoadFilteredPolicy(filter interface{}) error {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.LoadFilteredPolicy(filter)
}
// LoadIncrementalFilteredPolicy reloads a filtered policy from file/database.
func (e *SyncedEnforcer) LoadIncrementalFilteredPolicy(filter interface{}) error {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.LoadIncrementalFilteredPolicy(filter)
}
// SavePolicy saves the current policy (usually after changed with Casbin API) back to file/database.
func (e *SyncedEnforcer) SavePolicy() error {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.SavePolicy()
}
// BuildRoleLinks manually rebuild the role inheritance relations.
func (e *SyncedEnforcer) BuildRoleLinks() error {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.BuildRoleLinks()
}
// Enforce decides whether a "subject" can access a "object" with the operation "action", input parameters are usually: (sub, obj, act).
func (e *SyncedEnforcer) Enforce(rvals ...interface{}) (bool, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.Enforce(rvals...)
}
// EnforceWithMatcher use a custom matcher to decides whether a "subject" can access a "object" with the operation "action", input parameters are usually: (matcher, sub, obj, act), use model matcher by default when matcher is "".
func (e *SyncedEnforcer) EnforceWithMatcher(matcher string, rvals ...interface{}) (bool, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.EnforceWithMatcher(matcher, rvals...)
}
// EnforceEx explain enforcement by informing matched rules.
func (e *SyncedEnforcer) EnforceEx(rvals ...interface{}) (bool, []string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.EnforceEx(rvals...)
}
// EnforceExWithMatcher use a custom matcher and explain enforcement by informing matched rules.
func (e *SyncedEnforcer) EnforceExWithMatcher(matcher string, rvals ...interface{}) (bool, []string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.EnforceExWithMatcher(matcher, rvals...)
}
// BatchEnforce enforce in batches.
func (e *SyncedEnforcer) BatchEnforce(requests [][]interface{}) ([]bool, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.BatchEnforce(requests)
}
// BatchEnforceWithMatcher enforce with matcher in batches.
func (e *SyncedEnforcer) BatchEnforceWithMatcher(matcher string, requests [][]interface{}) ([]bool, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.BatchEnforceWithMatcher(matcher, requests)
}
// GetAllSubjects gets the list of subjects that show up in the current policy.
func (e *SyncedEnforcer) GetAllSubjects() ([]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetAllSubjects()
}
// GetAllNamedSubjects gets the list of subjects that show up in the current named policy.
func (e *SyncedEnforcer) GetAllNamedSubjects(ptype string) ([]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetAllNamedSubjects(ptype)
}
// GetAllObjects gets the list of objects that show up in the current policy.
func (e *SyncedEnforcer) GetAllObjects() ([]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetAllObjects()
}
// GetAllNamedObjects gets the list of objects that show up in the current named policy.
func (e *SyncedEnforcer) GetAllNamedObjects(ptype string) ([]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetAllNamedObjects(ptype)
}
// GetAllActions gets the list of actions that show up in the current policy.
func (e *SyncedEnforcer) GetAllActions() ([]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetAllActions()
}
// GetAllNamedActions gets the list of actions that show up in the current named policy.
func (e *SyncedEnforcer) GetAllNamedActions(ptype string) ([]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetAllNamedActions(ptype)
}
// GetAllRoles gets the list of roles that show up in the current policy.
func (e *SyncedEnforcer) GetAllRoles() ([]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetAllRoles()
}
// GetAllNamedRoles gets the list of roles that show up in the current named policy.
func (e *SyncedEnforcer) GetAllNamedRoles(ptype string) ([]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetAllNamedRoles(ptype)
}
// GetPolicy gets all the authorization rules in the policy.
func (e *SyncedEnforcer) GetPolicy() ([][]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetPolicy()
}
// GetFilteredPolicy gets all the authorization rules in the policy, field filters can be specified.
func (e *SyncedEnforcer) GetFilteredPolicy(fieldIndex int, fieldValues ...string) ([][]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetFilteredPolicy(fieldIndex, fieldValues...)
}
// GetNamedPolicy gets all the authorization rules in the named policy.
func (e *SyncedEnforcer) GetNamedPolicy(ptype string) ([][]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetNamedPolicy(ptype)
}
// GetFilteredNamedPolicy gets all the authorization rules in the named policy, field filters can be specified.
func (e *SyncedEnforcer) GetFilteredNamedPolicy(ptype string, fieldIndex int, fieldValues ...string) ([][]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetFilteredNamedPolicy(ptype, fieldIndex, fieldValues...)
}
// GetGroupingPolicy gets all the role inheritance rules in the policy.
func (e *SyncedEnforcer) GetGroupingPolicy() ([][]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetGroupingPolicy()
}
// GetFilteredGroupingPolicy gets all the role inheritance rules in the policy, field filters can be specified.
func (e *SyncedEnforcer) GetFilteredGroupingPolicy(fieldIndex int, fieldValues ...string) ([][]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetFilteredGroupingPolicy(fieldIndex, fieldValues...)
}
// GetNamedGroupingPolicy gets all the role inheritance rules in the policy.
func (e *SyncedEnforcer) GetNamedGroupingPolicy(ptype string) ([][]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetNamedGroupingPolicy(ptype)
}
// GetFilteredNamedGroupingPolicy gets all the role inheritance rules in the policy, field filters can be specified.
func (e *SyncedEnforcer) GetFilteredNamedGroupingPolicy(ptype string, fieldIndex int, fieldValues ...string) ([][]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetFilteredNamedGroupingPolicy(ptype, fieldIndex, fieldValues...)
}
// HasPolicy determines whether an authorization rule exists.
func (e *SyncedEnforcer) HasPolicy(params ...interface{}) (bool, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.HasPolicy(params...)
}
// HasNamedPolicy determines whether a named authorization rule exists.
func (e *SyncedEnforcer) HasNamedPolicy(ptype string, params ...interface{}) (bool, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.HasNamedPolicy(ptype, params...)
}
// AddPolicy adds an authorization rule to the current policy.
// If the rule already exists, the function returns false and the rule will not be added.
// Otherwise the function returns true by adding the new rule.
func (e *SyncedEnforcer) AddPolicy(params ...interface{}) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.AddPolicy(params...)
}
// AddPolicies adds authorization rules to the current policy.
// If the rule already exists, the function returns false for the corresponding rule and the rule will not be added.
// Otherwise the function returns true for the corresponding rule by adding the new rule.
func (e *SyncedEnforcer) AddPolicies(rules [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.AddPolicies(rules)
}
// AddPoliciesEx adds authorization rules to the current policy.
// If the rule already exists, the rule will not be added.
// But unlike AddPolicies, other non-existent rules are added instead of returning false directly.
func (e *SyncedEnforcer) AddPoliciesEx(rules [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.AddPoliciesEx(rules)
}
// AddNamedPolicy adds an authorization rule to the current named policy.
// If the rule already exists, the function returns false and the rule will not be added.
// Otherwise the function returns true by adding the new rule.
func (e *SyncedEnforcer) AddNamedPolicy(ptype string, params ...interface{}) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.AddNamedPolicy(ptype, params...)
}
// AddNamedPolicies adds authorization rules to the current named policy.
// If the rule already exists, the function returns false for the corresponding rule and the rule will not be added.
// Otherwise the function returns true for the corresponding by adding the new rule.
func (e *SyncedEnforcer) AddNamedPolicies(ptype string, rules [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.AddNamedPolicies(ptype, rules)
}
// AddNamedPoliciesEx adds authorization rules to the current named policy.
// If the rule already exists, the rule will not be added.
// But unlike AddNamedPolicies, other non-existent rules are added instead of returning false directly.
func (e *SyncedEnforcer) AddNamedPoliciesEx(ptype string, rules [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.AddNamedPoliciesEx(ptype, rules)
}
// RemovePolicy removes an authorization rule from the current policy.
func (e *SyncedEnforcer) RemovePolicy(params ...interface{}) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.RemovePolicy(params...)
}
// UpdatePolicy updates an authorization rule from the current policy.
func (e *SyncedEnforcer) UpdatePolicy(oldPolicy []string, newPolicy []string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.UpdatePolicy(oldPolicy, newPolicy)
}
func (e *SyncedEnforcer) UpdateNamedPolicy(ptype string, p1 []string, p2 []string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.UpdateNamedPolicy(ptype, p1, p2)
}
// UpdatePolicies updates authorization rules from the current policies.
func (e *SyncedEnforcer) UpdatePolicies(oldPolices [][]string, newPolicies [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.UpdatePolicies(oldPolices, newPolicies)
}
func (e *SyncedEnforcer) UpdateNamedPolicies(ptype string, p1 [][]string, p2 [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.UpdateNamedPolicies(ptype, p1, p2)
}
func (e *SyncedEnforcer) UpdateFilteredPolicies(newPolicies [][]string, fieldIndex int, fieldValues ...string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.UpdateFilteredPolicies(newPolicies, fieldIndex, fieldValues...)
}
func (e *SyncedEnforcer) UpdateFilteredNamedPolicies(ptype string, newPolicies [][]string, fieldIndex int, fieldValues ...string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.UpdateFilteredNamedPolicies(ptype, newPolicies, fieldIndex, fieldValues...)
}
// RemovePolicies removes authorization rules from the current policy.
func (e *SyncedEnforcer) RemovePolicies(rules [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.RemovePolicies(rules)
}
// RemoveFilteredPolicy removes an authorization rule from the current policy, field filters can be specified.
func (e *SyncedEnforcer) RemoveFilteredPolicy(fieldIndex int, fieldValues ...string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.RemoveFilteredPolicy(fieldIndex, fieldValues...)
}
// RemoveNamedPolicy removes an authorization rule from the current named policy.
func (e *SyncedEnforcer) RemoveNamedPolicy(ptype string, params ...interface{}) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.RemoveNamedPolicy(ptype, params...)
}
// RemoveNamedPolicies removes authorization rules from the current named policy.
func (e *SyncedEnforcer) RemoveNamedPolicies(ptype string, rules [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.RemoveNamedPolicies(ptype, rules)
}
// RemoveFilteredNamedPolicy removes an authorization rule from the current named policy, field filters can be specified.
func (e *SyncedEnforcer) RemoveFilteredNamedPolicy(ptype string, fieldIndex int, fieldValues ...string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.RemoveFilteredNamedPolicy(ptype, fieldIndex, fieldValues...)
}
// HasGroupingPolicy determines whether a role inheritance rule exists.
func (e *SyncedEnforcer) HasGroupingPolicy(params ...interface{}) (bool, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.HasGroupingPolicy(params...)
}
// HasNamedGroupingPolicy determines whether a named role inheritance rule exists.
func (e *SyncedEnforcer) HasNamedGroupingPolicy(ptype string, params ...interface{}) (bool, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.HasNamedGroupingPolicy(ptype, params...)
}
// AddGroupingPolicy adds a role inheritance rule to the current policy.
// If the rule already exists, the function returns false and the rule will not be added.
// Otherwise the function returns true by adding the new rule.
func (e *SyncedEnforcer) AddGroupingPolicy(params ...interface{}) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.AddGroupingPolicy(params...)
}
// AddGroupingPolicies adds role inheritance rulea to the current policy.
// If the rule already exists, the function returns false for the corresponding policy rule and the rule will not be added.
// Otherwise the function returns true for the corresponding policy rule by adding the new rule.
func (e *SyncedEnforcer) AddGroupingPolicies(rules [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.AddGroupingPolicies(rules)
}
// AddGroupingPoliciesEx adds role inheritance rules to the current policy.
// If the rule already exists, the rule will not be added.
// But unlike AddGroupingPolicies, other non-existent rules are added instead of returning false directly.
func (e *SyncedEnforcer) AddGroupingPoliciesEx(rules [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.AddGroupingPoliciesEx(rules)
}
// AddNamedGroupingPolicy adds a named role inheritance rule to the current policy.
// If the rule already exists, the function returns false and the rule will not be added.
// Otherwise the function returns true by adding the new rule.
func (e *SyncedEnforcer) AddNamedGroupingPolicy(ptype string, params ...interface{}) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.AddNamedGroupingPolicy(ptype, params...)
}
// AddNamedGroupingPolicies adds named role inheritance rules to the current policy.
// If the rule already exists, the function returns false for the corresponding policy rule and the rule will not be added.
// Otherwise the function returns true for the corresponding policy rule by adding the new rule.
func (e *SyncedEnforcer) AddNamedGroupingPolicies(ptype string, rules [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.AddNamedGroupingPolicies(ptype, rules)
}
// AddNamedGroupingPoliciesEx adds named role inheritance rules to the current policy.
// If the rule already exists, the rule will not be added.
// But unlike AddNamedGroupingPolicies, other non-existent rules are added instead of returning false directly.
func (e *SyncedEnforcer) AddNamedGroupingPoliciesEx(ptype string, rules [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.AddNamedGroupingPoliciesEx(ptype, rules)
}
// RemoveGroupingPolicy removes a role inheritance rule from the current policy.
func (e *SyncedEnforcer) RemoveGroupingPolicy(params ...interface{}) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.RemoveGroupingPolicy(params...)
}
// RemoveGroupingPolicies removes role inheritance rules from the current policy.
func (e *SyncedEnforcer) RemoveGroupingPolicies(rules [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.RemoveGroupingPolicies(rules)
}
// RemoveFilteredGroupingPolicy removes a role inheritance rule from the current policy, field filters can be specified.
func (e *SyncedEnforcer) RemoveFilteredGroupingPolicy(fieldIndex int, fieldValues ...string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.RemoveFilteredGroupingPolicy(fieldIndex, fieldValues...)
}
// RemoveNamedGroupingPolicy removes a role inheritance rule from the current named policy.
func (e *SyncedEnforcer) RemoveNamedGroupingPolicy(ptype string, params ...interface{}) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.RemoveNamedGroupingPolicy(ptype, params...)
}
// RemoveNamedGroupingPolicies removes role inheritance rules from the current named policy.
func (e *SyncedEnforcer) RemoveNamedGroupingPolicies(ptype string, rules [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.RemoveNamedGroupingPolicies(ptype, rules)
}
func (e *SyncedEnforcer) UpdateGroupingPolicy(oldRule []string, newRule []string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.UpdateGroupingPolicy(oldRule, newRule)
}
func (e *SyncedEnforcer) UpdateGroupingPolicies(oldRules [][]string, newRules [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.UpdateGroupingPolicies(oldRules, newRules)
}
func (e *SyncedEnforcer) UpdateNamedGroupingPolicy(ptype string, oldRule []string, newRule []string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.UpdateNamedGroupingPolicy(ptype, oldRule, newRule)
}
func (e *SyncedEnforcer) UpdateNamedGroupingPolicies(ptype string, oldRules [][]string, newRules [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.UpdateNamedGroupingPolicies(ptype, oldRules, newRules)
}
// RemoveFilteredNamedGroupingPolicy removes a role inheritance rule from the current named policy, field filters can be specified.
func (e *SyncedEnforcer) RemoveFilteredNamedGroupingPolicy(ptype string, fieldIndex int, fieldValues ...string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.RemoveFilteredNamedGroupingPolicy(ptype, fieldIndex, fieldValues...)
}
// AddFunction adds a customized function.
func (e *SyncedEnforcer) AddFunction(name string, function govaluate.ExpressionFunction) {
e.m.Lock()
defer e.m.Unlock()
e.Enforcer.AddFunction(name, function)
}
func (e *SyncedEnforcer) SelfAddPolicy(sec string, ptype string, rule []string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.SelfAddPolicy(sec, ptype, rule)
}
func (e *SyncedEnforcer) SelfAddPolicies(sec string, ptype string, rules [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.SelfAddPolicies(sec, ptype, rules)
}
func (e *SyncedEnforcer) SelfAddPoliciesEx(sec string, ptype string, rules [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.SelfAddPoliciesEx(sec, ptype, rules)
}
func (e *SyncedEnforcer) SelfRemovePolicy(sec string, ptype string, rule []string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.SelfRemovePolicy(sec, ptype, rule)
}
func (e *SyncedEnforcer) SelfRemovePolicies(sec string, ptype string, rules [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.SelfRemovePolicies(sec, ptype, rules)
}
func (e *SyncedEnforcer) SelfRemoveFilteredPolicy(sec string, ptype string, fieldIndex int, fieldValues ...string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.SelfRemoveFilteredPolicy(sec, ptype, fieldIndex, fieldValues...)
}
func (e *SyncedEnforcer) SelfUpdatePolicy(sec string, ptype string, oldRule, newRule []string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.SelfUpdatePolicy(sec, ptype, oldRule, newRule)
}
func (e *SyncedEnforcer) SelfUpdatePolicies(sec string, ptype string, oldRules, newRules [][]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.SelfUpdatePolicies(sec, ptype, oldRules, newRules)
}

30
vendor/github.com/casbin/casbin/v2/errors/rbac_errors.go generated vendored
View File

@@ -1,30 +0,0 @@
// Copyright 2018 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package errors
import "errors"
// Global errors for rbac defined here.
var (
ErrNameNotFound = errors.New("error: name does not exist")
ErrDomainParameter = errors.New("error: domain should be 1 parameter")
ErrLinkNotFound = errors.New("error: link between name1 and name2 does not exist")
ErrUseDomainParameter = errors.New("error: useDomain should be 1 parameter")
ErrInvalidFieldValuesParameter = errors.New("fieldValues requires at least one parameter")
// GetAllowedObjectConditions errors.
ErrObjCondition = errors.New("need to meet the prefix required by the object condition")
ErrEmptyCondition = errors.New("GetAllowedObjectConditions have an empty condition")
)

57
vendor/github.com/casbin/casbin/v2/frontend.go generated vendored
View File

@@ -1,57 +0,0 @@
// Copyright 2020 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package casbin
import (
"bytes"
"encoding/json"
)
func CasbinJsGetPermissionForUser(e IEnforcer, user string) (string, error) {
model := e.GetModel()
m := map[string]interface{}{}
m["m"] = model.ToText()
pRules := [][]string{}
for ptype := range model["p"] {
policies, err := model.GetPolicy("p", ptype)
if err != nil {
return "", err
}
for _, rules := range policies {
pRules = append(pRules, append([]string{ptype}, rules...))
}
}
m["p"] = pRules
gRules := [][]string{}
for ptype := range model["g"] {
policies, err := model.GetPolicy("g", ptype)
if err != nil {
return "", err
}
for _, rules := range policies {
gRules = append(gRules, append([]string{ptype}, rules...))
}
}
m["g"] = gRules
result := bytes.NewBuffer([]byte{})
encoder := json.NewEncoder(result)
encoder.SetEscapeHTML(false)
err := encoder.Encode(m)
return result.String(), err
}

30
vendor/github.com/casbin/casbin/v2/frontend_old.go generated vendored
View File

@@ -1,30 +0,0 @@
// Copyright 2021 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package casbin
import "encoding/json"
func CasbinJsGetPermissionForUserOld(e IEnforcer, user string) ([]byte, error) {
policy, err := e.GetImplicitPermissionsForUser(user)
if err != nil {
return nil, err
}
permission := make(map[string][]string)
for i := 0; i < len(policy); i++ {
permission[policy[i][2]] = append(permission[policy[i][2]], policy[i][1])
}
b, _ := json.Marshal(permission)
return b, nil
}

497
vendor/github.com/casbin/casbin/v2/internal_api.go generated vendored
View File

@@ -1,497 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package casbin
import (
"fmt"
Err "github.com/casbin/casbin/v2/errors"
"github.com/casbin/casbin/v2/model"
"github.com/casbin/casbin/v2/persist"
)
const (
notImplemented = "not implemented"
)
func (e *Enforcer) shouldPersist() bool {
return e.adapter != nil && e.autoSave
}
func (e *Enforcer) shouldNotify() bool {
return e.watcher != nil && e.autoNotifyWatcher
}
// addPolicy adds a rule to the current policy.
func (e *Enforcer) addPolicyWithoutNotify(sec string, ptype string, rule []string) (bool, error) {
if e.dispatcher != nil && e.autoNotifyDispatcher {
return true, e.dispatcher.AddPolicies(sec, ptype, [][]string{rule})
}
hasPolicy, err := e.model.HasPolicy(sec, ptype, rule)
if hasPolicy || err != nil {
return hasPolicy, err
}
if e.shouldPersist() {
if err = e.adapter.AddPolicy(sec, ptype, rule); err != nil {
if err.Error() != notImplemented {
return false, err
}
}
}
err = e.model.AddPolicy(sec, ptype, rule)
if err != nil {
return false, err
}
if sec == "g" {
err := e.BuildIncrementalRoleLinks(model.PolicyAdd, ptype, [][]string{rule})
if err != nil {
return true, err
}
}
return true, nil
}
// addPoliciesWithoutNotify adds rules to the current policy without notify
// If autoRemoveRepeat == true, existing rules are automatically filtered
// Otherwise, false is returned directly.
func (e *Enforcer) addPoliciesWithoutNotify(sec string, ptype string, rules [][]string, autoRemoveRepeat bool) (bool, error) {
if e.dispatcher != nil && e.autoNotifyDispatcher {
return true, e.dispatcher.AddPolicies(sec, ptype, rules)
}
if !autoRemoveRepeat {
hasPolicies, err := e.model.HasPolicies(sec, ptype, rules)
if hasPolicies || err != nil {
return false, err
}
}
if e.shouldPersist() {
if err := e.adapter.(persist.BatchAdapter).AddPolicies(sec, ptype, rules); err != nil {
if err.Error() != notImplemented {
return false, err
}
}
}
err := e.model.AddPolicies(sec, ptype, rules)
if err != nil {
return false, err
}
if sec == "g" {
err := e.BuildIncrementalRoleLinks(model.PolicyAdd, ptype, rules)
if err != nil {
return true, err
}
err = e.BuildIncrementalConditionalRoleLinks(model.PolicyAdd, ptype, rules)
if err != nil {
return true, err
}
}
return true, nil
}
// removePolicy removes a rule from the current policy.
func (e *Enforcer) removePolicyWithoutNotify(sec string, ptype string, rule []string) (bool, error) {
if e.dispatcher != nil && e.autoNotifyDispatcher {
return true, e.dispatcher.RemovePolicies(sec, ptype, [][]string{rule})
}
if e.shouldPersist() {
if err := e.adapter.RemovePolicy(sec, ptype, rule); err != nil {
if err.Error() != notImplemented {
return false, err
}
}
}
ruleRemoved, err := e.model.RemovePolicy(sec, ptype, rule)
if !ruleRemoved || err != nil {
return ruleRemoved, err
}
if sec == "g" {
err := e.BuildIncrementalRoleLinks(model.PolicyRemove, ptype, [][]string{rule})
if err != nil {
return ruleRemoved, err
}
}
return ruleRemoved, nil
}
func (e *Enforcer) updatePolicyWithoutNotify(sec string, ptype string, oldRule []string, newRule []string) (bool, error) {
if e.dispatcher != nil && e.autoNotifyDispatcher {
return true, e.dispatcher.UpdatePolicy(sec, ptype, oldRule, newRule)
}
if e.shouldPersist() {
if err := e.adapter.(persist.UpdatableAdapter).UpdatePolicy(sec, ptype, oldRule, newRule); err != nil {
if err.Error() != notImplemented {
return false, err
}
}
}
ruleUpdated, err := e.model.UpdatePolicy(sec, ptype, oldRule, newRule)
if !ruleUpdated || err != nil {
return ruleUpdated, err
}
if sec == "g" {
err := e.BuildIncrementalRoleLinks(model.PolicyRemove, ptype, [][]string{oldRule}) // remove the old rule
if err != nil {
return ruleUpdated, err
}
err = e.BuildIncrementalRoleLinks(model.PolicyAdd, ptype, [][]string{newRule}) // add the new rule
if err != nil {
return ruleUpdated, err
}
}
return ruleUpdated, nil
}
func (e *Enforcer) updatePoliciesWithoutNotify(sec string, ptype string, oldRules [][]string, newRules [][]string) (bool, error) {
if len(newRules) != len(oldRules) {
return false, fmt.Errorf("the length of oldRules should be equal to the length of newRules, but got the length of oldRules is %d, the length of newRules is %d", len(oldRules), len(newRules))
}
if e.dispatcher != nil && e.autoNotifyDispatcher {
return true, e.dispatcher.UpdatePolicies(sec, ptype, oldRules, newRules)
}
if e.shouldPersist() {
if err := e.adapter.(persist.UpdatableAdapter).UpdatePolicies(sec, ptype, oldRules, newRules); err != nil {
if err.Error() != notImplemented {
return false, err
}
}
}
ruleUpdated, err := e.model.UpdatePolicies(sec, ptype, oldRules, newRules)
if !ruleUpdated || err != nil {
return ruleUpdated, err
}
if sec == "g" {
err := e.BuildIncrementalRoleLinks(model.PolicyRemove, ptype, oldRules) // remove the old rules
if err != nil {
return ruleUpdated, err
}
err = e.BuildIncrementalRoleLinks(model.PolicyAdd, ptype, newRules) // add the new rules
if err != nil {
return ruleUpdated, err
}
}
return ruleUpdated, nil
}
// removePolicies removes rules from the current policy.
func (e *Enforcer) removePoliciesWithoutNotify(sec string, ptype string, rules [][]string) (bool, error) {
if hasPolicies, err := e.model.HasPolicies(sec, ptype, rules); !hasPolicies || err != nil {
return hasPolicies, err
}
if e.dispatcher != nil && e.autoNotifyDispatcher {
return true, e.dispatcher.RemovePolicies(sec, ptype, rules)
}
if e.shouldPersist() {
if err := e.adapter.(persist.BatchAdapter).RemovePolicies(sec, ptype, rules); err != nil {
if err.Error() != notImplemented {
return false, err
}
}
}
rulesRemoved, err := e.model.RemovePolicies(sec, ptype, rules)
if !rulesRemoved || err != nil {
return rulesRemoved, err
}
if sec == "g" {
err := e.BuildIncrementalRoleLinks(model.PolicyRemove, ptype, rules)
if err != nil {
return rulesRemoved, err
}
}
return rulesRemoved, nil
}
// removeFilteredPolicy removes rules based on field filters from the current policy.
func (e *Enforcer) removeFilteredPolicyWithoutNotify(sec string, ptype string, fieldIndex int, fieldValues []string) (bool, error) {
if len(fieldValues) == 0 {
return false, Err.ErrInvalidFieldValuesParameter
}
if e.dispatcher != nil && e.autoNotifyDispatcher {
return true, e.dispatcher.RemoveFilteredPolicy(sec, ptype, fieldIndex, fieldValues...)
}
if e.shouldPersist() {
if err := e.adapter.RemoveFilteredPolicy(sec, ptype, fieldIndex, fieldValues...); err != nil {
if err.Error() != notImplemented {
return false, err
}
}
}
ruleRemoved, effects, err := e.model.RemoveFilteredPolicy(sec, ptype, fieldIndex, fieldValues...)
if !ruleRemoved || err != nil {
return ruleRemoved, err
}
if sec == "g" {
err := e.BuildIncrementalRoleLinks(model.PolicyRemove, ptype, effects)
if err != nil {
return ruleRemoved, err
}
}
return ruleRemoved, nil
}
func (e *Enforcer) updateFilteredPoliciesWithoutNotify(sec string, ptype string, newRules [][]string, fieldIndex int, fieldValues ...string) ([][]string, error) {
var (
oldRules [][]string
err error
)
if _, err = e.model.GetAssertion(sec, ptype); err != nil {
return oldRules, err
}
if e.shouldPersist() {
if oldRules, err = e.adapter.(persist.UpdatableAdapter).UpdateFilteredPolicies(sec, ptype, newRules, fieldIndex, fieldValues...); err != nil {
if err.Error() != notImplemented {
return nil, err
}
}
// For compatibility, because some adapters return oldRules containing ptype, see https://github.com/casbin/xorm-adapter/issues/49
for i, oldRule := range oldRules {
if len(oldRules[i]) == len(e.model[sec][ptype].Tokens)+1 {
oldRules[i] = oldRule[1:]
}
}
}
if e.dispatcher != nil && e.autoNotifyDispatcher {
return oldRules, e.dispatcher.UpdateFilteredPolicies(sec, ptype, oldRules, newRules)
}
ruleChanged, err := e.model.RemovePolicies(sec, ptype, oldRules)
if err != nil {
return oldRules, err
}
err = e.model.AddPolicies(sec, ptype, newRules)
if err != nil {
return oldRules, err
}
ruleChanged = ruleChanged && len(newRules) != 0
if !ruleChanged {
return make([][]string, 0), nil
}
if sec == "g" {
err := e.BuildIncrementalRoleLinks(model.PolicyRemove, ptype, oldRules) // remove the old rules
if err != nil {
return oldRules, err
}
err = e.BuildIncrementalRoleLinks(model.PolicyAdd, ptype, newRules) // add the new rules
if err != nil {
return oldRules, err
}
}
return oldRules, nil
}
// addPolicy adds a rule to the current policy.
func (e *Enforcer) addPolicy(sec string, ptype string, rule []string) (bool, error) {
ok, err := e.addPolicyWithoutNotify(sec, ptype, rule)
if !ok || err != nil {
return ok, err
}
if e.shouldNotify() {
var err error
if watcher, ok := e.watcher.(persist.WatcherEx); ok {
err = watcher.UpdateForAddPolicy(sec, ptype, rule...)
} else {
err = e.watcher.Update()
}
return true, err
}
return true, nil
}
// addPolicies adds rules to the current policy.
// If autoRemoveRepeat == true, existing rules are automatically filtered
// Otherwise, false is returned directly.
func (e *Enforcer) addPolicies(sec string, ptype string, rules [][]string, autoRemoveRepeat bool) (bool, error) {
ok, err := e.addPoliciesWithoutNotify(sec, ptype, rules, autoRemoveRepeat)
if !ok || err != nil {
return ok, err
}
if e.shouldNotify() {
var err error
if watcher, ok := e.watcher.(persist.WatcherEx); ok {
err = watcher.UpdateForAddPolicies(sec, ptype, rules...)
} else {
err = e.watcher.Update()
}
return true, err
}
return true, nil
}
// removePolicy removes a rule from the current policy.
func (e *Enforcer) removePolicy(sec string, ptype string, rule []string) (bool, error) {
ok, err := e.removePolicyWithoutNotify(sec, ptype, rule)
if !ok || err != nil {
return ok, err
}
if e.shouldNotify() {
var err error
if watcher, ok := e.watcher.(persist.WatcherEx); ok {
err = watcher.UpdateForRemovePolicy(sec, ptype, rule...)
} else {
err = e.watcher.Update()
}
return true, err
}
return true, nil
}
func (e *Enforcer) updatePolicy(sec string, ptype string, oldRule []string, newRule []string) (bool, error) {
ok, err := e.updatePolicyWithoutNotify(sec, ptype, oldRule, newRule)
if !ok || err != nil {
return ok, err
}
if e.shouldNotify() {
var err error
if watcher, ok := e.watcher.(persist.UpdatableWatcher); ok {
err = watcher.UpdateForUpdatePolicy(sec, ptype, oldRule, newRule)
} else {
err = e.watcher.Update()
}
return true, err
}
return true, nil
}
func (e *Enforcer) updatePolicies(sec string, ptype string, oldRules [][]string, newRules [][]string) (bool, error) {
ok, err := e.updatePoliciesWithoutNotify(sec, ptype, oldRules, newRules)
if !ok || err != nil {
return ok, err
}
if e.shouldNotify() {
var err error
if watcher, ok := e.watcher.(persist.UpdatableWatcher); ok {
err = watcher.UpdateForUpdatePolicies(sec, ptype, oldRules, newRules)
} else {
err = e.watcher.Update()
}
return true, err
}
return true, nil
}
// removePolicies removes rules from the current policy.
func (e *Enforcer) removePolicies(sec string, ptype string, rules [][]string) (bool, error) {
ok, err := e.removePoliciesWithoutNotify(sec, ptype, rules)
if !ok || err != nil {
return ok, err
}
if e.shouldNotify() {
var err error
if watcher, ok := e.watcher.(persist.WatcherEx); ok {
err = watcher.UpdateForRemovePolicies(sec, ptype, rules...)
} else {
err = e.watcher.Update()
}
return true, err
}
return true, nil
}
// removeFilteredPolicy removes rules based on field filters from the current policy.
func (e *Enforcer) removeFilteredPolicy(sec string, ptype string, fieldIndex int, fieldValues []string) (bool, error) {
ok, err := e.removeFilteredPolicyWithoutNotify(sec, ptype, fieldIndex, fieldValues)
if !ok || err != nil {
return ok, err
}
if e.shouldNotify() {
var err error
if watcher, ok := e.watcher.(persist.WatcherEx); ok {
err = watcher.UpdateForRemoveFilteredPolicy(sec, ptype, fieldIndex, fieldValues...)
} else {
err = e.watcher.Update()
}
return true, err
}
return true, nil
}
func (e *Enforcer) updateFilteredPolicies(sec string, ptype string, newRules [][]string, fieldIndex int, fieldValues ...string) (bool, error) {
oldRules, err := e.updateFilteredPoliciesWithoutNotify(sec, ptype, newRules, fieldIndex, fieldValues...)
ok := len(oldRules) != 0
if !ok || err != nil {
return ok, err
}
if e.shouldNotify() {
var err error
if watcher, ok := e.watcher.(persist.UpdatableWatcher); ok {
err = watcher.UpdateForUpdatePolicies(sec, ptype, oldRules, newRules)
} else {
err = e.watcher.Update()
}
return true, err
}
return true, nil
}
func (e *Enforcer) GetFieldIndex(ptype string, field string) (int, error) {
return e.model.GetFieldIndex(ptype, field)
}
func (e *Enforcer) SetFieldIndex(ptype string, field string, index int) {
assertion := e.model["p"][ptype]
assertion.FieldIndexMap[field] = index
}

104
vendor/github.com/casbin/casbin/v2/log/default_logger.go generated vendored
View File

@@ -1,104 +0,0 @@
// Copyright 2018 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package log
import (
"fmt"
"log"
"strings"
)
// DefaultLogger is the implementation for a Logger using golang log.
type DefaultLogger struct {
enabled bool
}
func (l *DefaultLogger) EnableLog(enable bool) {
l.enabled = enable
}
func (l *DefaultLogger) IsEnabled() bool {
return l.enabled
}
func (l *DefaultLogger) LogModel(model [][]string) {
if !l.enabled {
return
}
var str strings.Builder
str.WriteString("Model: ")
for _, v := range model {
str.WriteString(fmt.Sprintf("%v\n", v))
}
log.Println(str.String())
}
func (l *DefaultLogger) LogEnforce(matcher string, request []interface{}, result bool, explains [][]string) {
if !l.enabled {
return
}
var reqStr strings.Builder
reqStr.WriteString("Request: ")
for i, rval := range request {
if i != len(request)-1 {
reqStr.WriteString(fmt.Sprintf("%v, ", rval))
} else {
reqStr.WriteString(fmt.Sprintf("%v", rval))
}
}
reqStr.WriteString(fmt.Sprintf(" ---> %t\n", result))
reqStr.WriteString("Hit Policy: ")
for i, pval := range explains {
if i != len(explains)-1 {
reqStr.WriteString(fmt.Sprintf("%v, ", pval))
} else {
reqStr.WriteString(fmt.Sprintf("%v \n", pval))
}
}
log.Println(reqStr.String())
}
func (l *DefaultLogger) LogPolicy(policy map[string][][]string) {
if !l.enabled {
return
}
var str strings.Builder
str.WriteString("Policy: ")
for k, v := range policy {
str.WriteString(fmt.Sprintf("%s : %v\n", k, v))
}
log.Println(str.String())
}
func (l *DefaultLogger) LogRole(roles []string) {
if !l.enabled {
return
}
log.Println("Roles: ", strings.Join(roles, "\n"))
}
func (l *DefaultLogger) LogError(err error, msg ...string) {
if !l.enabled {
return
}
log.Println(msg, err)
}

52
vendor/github.com/casbin/casbin/v2/log/log_util.go generated vendored
View File

@@ -1,52 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package log
var logger Logger = &DefaultLogger{}
// SetLogger sets the current logger.
func SetLogger(l Logger) {
logger = l
}
// GetLogger returns the current logger.
func GetLogger() Logger {
return logger
}
// LogModel logs the model information.
func LogModel(model [][]string) {
logger.LogModel(model)
}
// LogEnforce logs the enforcer information.
func LogEnforce(matcher string, request []interface{}, result bool, explains [][]string) {
logger.LogEnforce(matcher, request, result, explains)
}
// LogRole log info related to role.
func LogRole(roles []string) {
logger.LogRole(roles)
}
// LogPolicy logs the policy information.
func LogPolicy(policy map[string][][]string) {
logger.LogPolicy(policy)
}
// LogError logs the error information.
func LogError(err error, msg ...string) {
logger.LogError(err, msg...)
}

41
vendor/github.com/casbin/casbin/v2/log/logger.go generated vendored
View File

@@ -1,41 +0,0 @@
// Copyright 2018 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package log
//go:generate mockgen -destination=./mocks/mock_logger.go -package=mocks github.com/casbin/casbin/v2/log Logger
// Logger is the logging interface implementation.
type Logger interface {
// EnableLog controls whether print the message.
EnableLog(bool)
// IsEnabled returns if logger is enabled.
IsEnabled() bool
// LogModel log info related to model.
LogModel(model [][]string)
// LogEnforce log info related to enforce.
LogEnforce(matcher string, request []interface{}, result bool, explains [][]string)
// LogRole log info related to role.
LogRole(roles []string)
// LogPolicy log info related to policy.
LogPolicy(policy map[string][][]string)
// LogError log info relate to error
LogError(err error, msg ...string)
}

500
vendor/github.com/casbin/casbin/v2/management_api.go generated vendored
View File

@@ -1,500 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package casbin
import (
"errors"
"fmt"
"strings"
"github.com/casbin/casbin/v2/constant"
"github.com/casbin/casbin/v2/util"
"github.com/casbin/govaluate"
)
// GetAllSubjects gets the list of subjects that show up in the current policy.
func (e *Enforcer) GetAllSubjects() ([]string, error) {
return e.model.GetValuesForFieldInPolicyAllTypesByName("p", constant.SubjectIndex)
}
// GetAllNamedSubjects gets the list of subjects that show up in the current named policy.
func (e *Enforcer) GetAllNamedSubjects(ptype string) ([]string, error) {
fieldIndex, err := e.model.GetFieldIndex(ptype, constant.SubjectIndex)
if err != nil {
return nil, err
}
return e.model.GetValuesForFieldInPolicy("p", ptype, fieldIndex)
}
// GetAllObjects gets the list of objects that show up in the current policy.
func (e *Enforcer) GetAllObjects() ([]string, error) {
return e.model.GetValuesForFieldInPolicyAllTypesByName("p", constant.ObjectIndex)
}
// GetAllNamedObjects gets the list of objects that show up in the current named policy.
func (e *Enforcer) GetAllNamedObjects(ptype string) ([]string, error) {
fieldIndex, err := e.model.GetFieldIndex(ptype, constant.ObjectIndex)
if err != nil {
return nil, err
}
return e.model.GetValuesForFieldInPolicy("p", ptype, fieldIndex)
}
// GetAllActions gets the list of actions that show up in the current policy.
func (e *Enforcer) GetAllActions() ([]string, error) {
return e.model.GetValuesForFieldInPolicyAllTypesByName("p", constant.ActionIndex)
}
// GetAllNamedActions gets the list of actions that show up in the current named policy.
func (e *Enforcer) GetAllNamedActions(ptype string) ([]string, error) {
fieldIndex, err := e.model.GetFieldIndex(ptype, constant.ActionIndex)
if err != nil {
return nil, err
}
return e.model.GetValuesForFieldInPolicy("p", ptype, fieldIndex)
}
// GetAllRoles gets the list of roles that show up in the current policy.
func (e *Enforcer) GetAllRoles() ([]string, error) {
return e.model.GetValuesForFieldInPolicyAllTypes("g", 1)
}
// GetAllNamedRoles gets the list of roles that show up in the current named policy.
func (e *Enforcer) GetAllNamedRoles(ptype string) ([]string, error) {
return e.model.GetValuesForFieldInPolicy("g", ptype, 1)
}
// GetPolicy gets all the authorization rules in the policy.
func (e *Enforcer) GetPolicy() ([][]string, error) {
return e.GetNamedPolicy("p")
}
// GetFilteredPolicy gets all the authorization rules in the policy, field filters can be specified.
func (e *Enforcer) GetFilteredPolicy(fieldIndex int, fieldValues ...string) ([][]string, error) {
return e.GetFilteredNamedPolicy("p", fieldIndex, fieldValues...)
}
// GetNamedPolicy gets all the authorization rules in the named policy.
func (e *Enforcer) GetNamedPolicy(ptype string) ([][]string, error) {
return e.model.GetPolicy("p", ptype)
}
// GetFilteredNamedPolicy gets all the authorization rules in the named policy, field filters can be specified.
func (e *Enforcer) GetFilteredNamedPolicy(ptype string, fieldIndex int, fieldValues ...string) ([][]string, error) {
return e.model.GetFilteredPolicy("p", ptype, fieldIndex, fieldValues...)
}
// GetGroupingPolicy gets all the role inheritance rules in the policy.
func (e *Enforcer) GetGroupingPolicy() ([][]string, error) {
return e.GetNamedGroupingPolicy("g")
}
// GetFilteredGroupingPolicy gets all the role inheritance rules in the policy, field filters can be specified.
func (e *Enforcer) GetFilteredGroupingPolicy(fieldIndex int, fieldValues ...string) ([][]string, error) {
return e.GetFilteredNamedGroupingPolicy("g", fieldIndex, fieldValues...)
}
// GetNamedGroupingPolicy gets all the role inheritance rules in the policy.
func (e *Enforcer) GetNamedGroupingPolicy(ptype string) ([][]string, error) {
return e.model.GetPolicy("g", ptype)
}
// GetFilteredNamedGroupingPolicy gets all the role inheritance rules in the policy, field filters can be specified.
func (e *Enforcer) GetFilteredNamedGroupingPolicy(ptype string, fieldIndex int, fieldValues ...string) ([][]string, error) {
return e.model.GetFilteredPolicy("g", ptype, fieldIndex, fieldValues...)
}
// GetFilteredNamedPolicyWithMatcher gets rules based on matcher from the policy.
func (e *Enforcer) GetFilteredNamedPolicyWithMatcher(ptype string, matcher string) ([][]string, error) {
var res [][]string
var err error
functions := e.fm.GetFunctions()
if _, ok := e.model["g"]; ok {
for key, ast := range e.model["g"] {
// g must be a normal role definition (ast.RM != nil)
// or a conditional role definition (ast.CondRM != nil)
// ast.RM and ast.CondRM shouldn't be nil at the same time
if ast.RM != nil {
functions[key] = util.GenerateGFunction(ast.RM)
}
if ast.CondRM != nil {
functions[key] = util.GenerateConditionalGFunction(ast.CondRM)
}
}
}
var expString string
if matcher == "" {
return res, fmt.Errorf("matcher is empty")
} else {
expString = util.RemoveComments(util.EscapeAssertion(matcher))
}
var expression *govaluate.EvaluableExpression
expression, err = govaluate.NewEvaluableExpressionWithFunctions(expString, functions)
if err != nil {
return res, err
}
pTokens := make(map[string]int, len(e.model["p"][ptype].Tokens))
for i, token := range e.model["p"][ptype].Tokens {
pTokens[token] = i
}
parameters := enforceParameters{
pTokens: pTokens,
}
if policyLen := len(e.model["p"][ptype].Policy); policyLen != 0 && strings.Contains(expString, ptype+"_") {
for _, pvals := range e.model["p"][ptype].Policy {
if len(e.model["p"][ptype].Tokens) != len(pvals) {
return res, fmt.Errorf(
"invalid policy size: expected %d, got %d, pvals: %v",
len(e.model["p"][ptype].Tokens),
len(pvals),
pvals)
}
parameters.pVals = pvals
result, err := expression.Eval(parameters)
if err != nil {
return res, err
}
switch result := result.(type) {
case bool:
if result {
res = append(res, pvals)
}
case float64:
if result != 0 {
res = append(res, pvals)
}
default:
return res, errors.New("matcher result should be bool, int or float")
}
}
}
return res, nil
}
// HasPolicy determines whether an authorization rule exists.
func (e *Enforcer) HasPolicy(params ...interface{}) (bool, error) {
return e.HasNamedPolicy("p", params...)
}
// HasNamedPolicy determines whether a named authorization rule exists.
func (e *Enforcer) HasNamedPolicy(ptype string, params ...interface{}) (bool, error) {
if strSlice, ok := params[0].([]string); len(params) == 1 && ok {
return e.model.HasPolicy("p", ptype, strSlice)
}
policy := make([]string, 0)
for _, param := range params {
policy = append(policy, param.(string))
}
return e.model.HasPolicy("p", ptype, policy)
}
// AddPolicy adds an authorization rule to the current policy.
// If the rule already exists, the function returns false and the rule will not be added.
// Otherwise the function returns true by adding the new rule.
func (e *Enforcer) AddPolicy(params ...interface{}) (bool, error) {
return e.AddNamedPolicy("p", params...)
}
// AddPolicies adds authorization rules to the current policy.
// If the rule already exists, the function returns false for the corresponding rule and the rule will not be added.
// Otherwise the function returns true for the corresponding rule by adding the new rule.
func (e *Enforcer) AddPolicies(rules [][]string) (bool, error) {
return e.AddNamedPolicies("p", rules)
}
// AddPoliciesEx adds authorization rules to the current policy.
// If the rule already exists, the rule will not be added.
// But unlike AddPolicies, other non-existent rules are added instead of returning false directly.
func (e *Enforcer) AddPoliciesEx(rules [][]string) (bool, error) {
return e.AddNamedPoliciesEx("p", rules)
}
// AddNamedPolicy adds an authorization rule to the current named policy.
// If the rule already exists, the function returns false and the rule will not be added.
// Otherwise the function returns true by adding the new rule.
func (e *Enforcer) AddNamedPolicy(ptype string, params ...interface{}) (bool, error) {
if strSlice, ok := params[0].([]string); len(params) == 1 && ok {
strSlice = append(make([]string, 0, len(strSlice)), strSlice...)
return e.addPolicy("p", ptype, strSlice)
}
policy := make([]string, 0)
for _, param := range params {
policy = append(policy, param.(string))
}
return e.addPolicy("p", ptype, policy)
}
// AddNamedPolicies adds authorization rules to the current named policy.
// If the rule already exists, the function returns false for the corresponding rule and the rule will not be added.
// Otherwise the function returns true for the corresponding by adding the new rule.
func (e *Enforcer) AddNamedPolicies(ptype string, rules [][]string) (bool, error) {
return e.addPolicies("p", ptype, rules, false)
}
// AddNamedPoliciesEx adds authorization rules to the current named policy.
// If the rule already exists, the rule will not be added.
// But unlike AddNamedPolicies, other non-existent rules are added instead of returning false directly.
func (e *Enforcer) AddNamedPoliciesEx(ptype string, rules [][]string) (bool, error) {
return e.addPolicies("p", ptype, rules, true)
}
// RemovePolicy removes an authorization rule from the current policy.
func (e *Enforcer) RemovePolicy(params ...interface{}) (bool, error) {
return e.RemoveNamedPolicy("p", params...)
}
// UpdatePolicy updates an authorization rule from the current policy.
func (e *Enforcer) UpdatePolicy(oldPolicy []string, newPolicy []string) (bool, error) {
return e.UpdateNamedPolicy("p", oldPolicy, newPolicy)
}
func (e *Enforcer) UpdateNamedPolicy(ptype string, p1 []string, p2 []string) (bool, error) {
return e.updatePolicy("p", ptype, p1, p2)
}
// UpdatePolicies updates authorization rules from the current policies.
func (e *Enforcer) UpdatePolicies(oldPolices [][]string, newPolicies [][]string) (bool, error) {
return e.UpdateNamedPolicies("p", oldPolices, newPolicies)
}
func (e *Enforcer) UpdateNamedPolicies(ptype string, p1 [][]string, p2 [][]string) (bool, error) {
return e.updatePolicies("p", ptype, p1, p2)
}
func (e *Enforcer) UpdateFilteredPolicies(newPolicies [][]string, fieldIndex int, fieldValues ...string) (bool, error) {
return e.UpdateFilteredNamedPolicies("p", newPolicies, fieldIndex, fieldValues...)
}
func (e *Enforcer) UpdateFilteredNamedPolicies(ptype string, newPolicies [][]string, fieldIndex int, fieldValues ...string) (bool, error) {
return e.updateFilteredPolicies("p", ptype, newPolicies, fieldIndex, fieldValues...)
}
// RemovePolicies removes authorization rules from the current policy.
func (e *Enforcer) RemovePolicies(rules [][]string) (bool, error) {
return e.RemoveNamedPolicies("p", rules)
}
// RemoveFilteredPolicy removes an authorization rule from the current policy, field filters can be specified.
func (e *Enforcer) RemoveFilteredPolicy(fieldIndex int, fieldValues ...string) (bool, error) {
return e.RemoveFilteredNamedPolicy("p", fieldIndex, fieldValues...)
}
// RemoveNamedPolicy removes an authorization rule from the current named policy.
func (e *Enforcer) RemoveNamedPolicy(ptype string, params ...interface{}) (bool, error) {
if strSlice, ok := params[0].([]string); len(params) == 1 && ok {
return e.removePolicy("p", ptype, strSlice)
}
policy := make([]string, 0)
for _, param := range params {
policy = append(policy, param.(string))
}
return e.removePolicy("p", ptype, policy)
}
// RemoveNamedPolicies removes authorization rules from the current named policy.
func (e *Enforcer) RemoveNamedPolicies(ptype string, rules [][]string) (bool, error) {
return e.removePolicies("p", ptype, rules)
}
// RemoveFilteredNamedPolicy removes an authorization rule from the current named policy, field filters can be specified.
func (e *Enforcer) RemoveFilteredNamedPolicy(ptype string, fieldIndex int, fieldValues ...string) (bool, error) {
return e.removeFilteredPolicy("p", ptype, fieldIndex, fieldValues)
}
// HasGroupingPolicy determines whether a role inheritance rule exists.
func (e *Enforcer) HasGroupingPolicy(params ...interface{}) (bool, error) {
return e.HasNamedGroupingPolicy("g", params...)
}
// HasNamedGroupingPolicy determines whether a named role inheritance rule exists.
func (e *Enforcer) HasNamedGroupingPolicy(ptype string, params ...interface{}) (bool, error) {
if strSlice, ok := params[0].([]string); len(params) == 1 && ok {
return e.model.HasPolicy("g", ptype, strSlice)
}
policy := make([]string, 0)
for _, param := range params {
policy = append(policy, param.(string))
}
return e.model.HasPolicy("g", ptype, policy)
}
// AddGroupingPolicy adds a role inheritance rule to the current policy.
// If the rule already exists, the function returns false and the rule will not be added.
// Otherwise the function returns true by adding the new rule.
func (e *Enforcer) AddGroupingPolicy(params ...interface{}) (bool, error) {
return e.AddNamedGroupingPolicy("g", params...)
}
// AddGroupingPolicies adds role inheritance rules to the current policy.
// If the rule already exists, the function returns false for the corresponding policy rule and the rule will not be added.
// Otherwise the function returns true for the corresponding policy rule by adding the new rule.
func (e *Enforcer) AddGroupingPolicies(rules [][]string) (bool, error) {
return e.AddNamedGroupingPolicies("g", rules)
}
// AddGroupingPoliciesEx adds role inheritance rules to the current policy.
// If the rule already exists, the rule will not be added.
// But unlike AddGroupingPolicies, other non-existent rules are added instead of returning false directly.
func (e *Enforcer) AddGroupingPoliciesEx(rules [][]string) (bool, error) {
return e.AddNamedGroupingPoliciesEx("g", rules)
}
// AddNamedGroupingPolicy adds a named role inheritance rule to the current policy.
// If the rule already exists, the function returns false and the rule will not be added.
// Otherwise the function returns true by adding the new rule.
func (e *Enforcer) AddNamedGroupingPolicy(ptype string, params ...interface{}) (bool, error) {
var ruleAdded bool
var err error
if strSlice, ok := params[0].([]string); len(params) == 1 && ok {
ruleAdded, err = e.addPolicy("g", ptype, strSlice)
} else {
policy := make([]string, 0)
for _, param := range params {
policy = append(policy, param.(string))
}
ruleAdded, err = e.addPolicy("g", ptype, policy)
}
return ruleAdded, err
}
// AddNamedGroupingPolicies adds named role inheritance rules to the current policy.
// If the rule already exists, the function returns false for the corresponding policy rule and the rule will not be added.
// Otherwise the function returns true for the corresponding policy rule by adding the new rule.
func (e *Enforcer) AddNamedGroupingPolicies(ptype string, rules [][]string) (bool, error) {
return e.addPolicies("g", ptype, rules, false)
}
// AddNamedGroupingPoliciesEx adds named role inheritance rules to the current policy.
// If the rule already exists, the rule will not be added.
// But unlike AddNamedGroupingPolicies, other non-existent rules are added instead of returning false directly.
func (e *Enforcer) AddNamedGroupingPoliciesEx(ptype string, rules [][]string) (bool, error) {
return e.addPolicies("g", ptype, rules, true)
}
// RemoveGroupingPolicy removes a role inheritance rule from the current policy.
func (e *Enforcer) RemoveGroupingPolicy(params ...interface{}) (bool, error) {
return e.RemoveNamedGroupingPolicy("g", params...)
}
// RemoveGroupingPolicies removes role inheritance rules from the current policy.
func (e *Enforcer) RemoveGroupingPolicies(rules [][]string) (bool, error) {
return e.RemoveNamedGroupingPolicies("g", rules)
}
// RemoveFilteredGroupingPolicy removes a role inheritance rule from the current policy, field filters can be specified.
func (e *Enforcer) RemoveFilteredGroupingPolicy(fieldIndex int, fieldValues ...string) (bool, error) {
return e.RemoveFilteredNamedGroupingPolicy("g", fieldIndex, fieldValues...)
}
// RemoveNamedGroupingPolicy removes a role inheritance rule from the current named policy.
func (e *Enforcer) RemoveNamedGroupingPolicy(ptype string, params ...interface{}) (bool, error) {
var ruleRemoved bool
var err error
if strSlice, ok := params[0].([]string); len(params) == 1 && ok {
ruleRemoved, err = e.removePolicy("g", ptype, strSlice)
} else {
policy := make([]string, 0)
for _, param := range params {
policy = append(policy, param.(string))
}
ruleRemoved, err = e.removePolicy("g", ptype, policy)
}
return ruleRemoved, err
}
// RemoveNamedGroupingPolicies removes role inheritance rules from the current named policy.
func (e *Enforcer) RemoveNamedGroupingPolicies(ptype string, rules [][]string) (bool, error) {
return e.removePolicies("g", ptype, rules)
}
func (e *Enforcer) UpdateGroupingPolicy(oldRule []string, newRule []string) (bool, error) {
return e.UpdateNamedGroupingPolicy("g", oldRule, newRule)
}
// UpdateGroupingPolicies updates authorization rules from the current policies.
func (e *Enforcer) UpdateGroupingPolicies(oldRules [][]string, newRules [][]string) (bool, error) {
return e.UpdateNamedGroupingPolicies("g", oldRules, newRules)
}
func (e *Enforcer) UpdateNamedGroupingPolicy(ptype string, oldRule []string, newRule []string) (bool, error) {
return e.updatePolicy("g", ptype, oldRule, newRule)
}
func (e *Enforcer) UpdateNamedGroupingPolicies(ptype string, oldRules [][]string, newRules [][]string) (bool, error) {
return e.updatePolicies("g", ptype, oldRules, newRules)
}
// RemoveFilteredNamedGroupingPolicy removes a role inheritance rule from the current named policy, field filters can be specified.
func (e *Enforcer) RemoveFilteredNamedGroupingPolicy(ptype string, fieldIndex int, fieldValues ...string) (bool, error) {
return e.removeFilteredPolicy("g", ptype, fieldIndex, fieldValues)
}
// AddFunction adds a customized function.
func (e *Enforcer) AddFunction(name string, function govaluate.ExpressionFunction) {
e.fm.AddFunction(name, function)
}
func (e *Enforcer) SelfAddPolicy(sec string, ptype string, rule []string) (bool, error) {
return e.addPolicyWithoutNotify(sec, ptype, rule)
}
func (e *Enforcer) SelfAddPolicies(sec string, ptype string, rules [][]string) (bool, error) {
return e.addPoliciesWithoutNotify(sec, ptype, rules, false)
}
func (e *Enforcer) SelfAddPoliciesEx(sec string, ptype string, rules [][]string) (bool, error) {
return e.addPoliciesWithoutNotify(sec, ptype, rules, true)
}
func (e *Enforcer) SelfRemovePolicy(sec string, ptype string, rule []string) (bool, error) {
return e.removePolicyWithoutNotify(sec, ptype, rule)
}
func (e *Enforcer) SelfRemovePolicies(sec string, ptype string, rules [][]string) (bool, error) {
return e.removePoliciesWithoutNotify(sec, ptype, rules)
}
func (e *Enforcer) SelfRemoveFilteredPolicy(sec string, ptype string, fieldIndex int, fieldValues ...string) (bool, error) {
return e.removeFilteredPolicyWithoutNotify(sec, ptype, fieldIndex, fieldValues)
}
func (e *Enforcer) SelfUpdatePolicy(sec string, ptype string, oldRule, newRule []string) (bool, error) {
return e.updatePolicyWithoutNotify(sec, ptype, oldRule, newRule)
}
func (e *Enforcer) SelfUpdatePolicies(sec string, ptype string, oldRules, newRules [][]string) (bool, error) {
return e.updatePoliciesWithoutNotify(sec, ptype, oldRules, newRules)
}

194
vendor/github.com/casbin/casbin/v2/model/assertion.go generated vendored
View File

@@ -1,194 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package model
import (
"errors"
"strings"
"github.com/casbin/casbin/v2/log"
"github.com/casbin/casbin/v2/rbac"
)
// Assertion represents an expression in a section of the model.
// For example: r = sub, obj, act.
type Assertion struct {
Key string
Value string
Tokens []string
ParamsTokens []string
Policy [][]string
PolicyMap map[string]int
RM rbac.RoleManager
CondRM rbac.ConditionalRoleManager
FieldIndexMap map[string]int
logger log.Logger
}
func (ast *Assertion) buildIncrementalRoleLinks(rm rbac.RoleManager, op PolicyOp, rules [][]string) error {
ast.RM = rm
count := strings.Count(ast.Value, "_")
if count < 2 {
return errors.New("the number of \"_\" in role definition should be at least 2")
}
for _, rule := range rules {
if len(rule) < count {
return errors.New("grouping policy elements do not meet role definition")
}
if len(rule) > count {
rule = rule[:count]
}
switch op {
case PolicyAdd:
err := rm.AddLink(rule[0], rule[1], rule[2:]...)
if err != nil {
return err
}
case PolicyRemove:
err := rm.DeleteLink(rule[0], rule[1], rule[2:]...)
if err != nil {
return err
}
}
}
return nil
}
func (ast *Assertion) buildRoleLinks(rm rbac.RoleManager) error {
ast.RM = rm
count := strings.Count(ast.Value, "_")
if count < 2 {
return errors.New("the number of \"_\" in role definition should be at least 2")
}
for _, rule := range ast.Policy {
if len(rule) < count {
return errors.New("grouping policy elements do not meet role definition")
}
if len(rule) > count {
rule = rule[:count]
}
err := ast.RM.AddLink(rule[0], rule[1], rule[2:]...)
if err != nil {
return err
}
}
return nil
}
func (ast *Assertion) buildIncrementalConditionalRoleLinks(condRM rbac.ConditionalRoleManager, op PolicyOp, rules [][]string) error {
ast.CondRM = condRM
count := strings.Count(ast.Value, "_")
if count < 2 {
return errors.New("the number of \"_\" in role definition should be at least 2")
}
for _, rule := range rules {
if len(rule) < count {
return errors.New("grouping policy elements do not meet role definition")
}
if len(rule) > count {
rule = rule[:count]
}
var err error
domainRule := rule[2:len(ast.Tokens)]
switch op {
case PolicyAdd:
err = ast.addConditionalRoleLink(rule, domainRule)
case PolicyRemove:
err = ast.CondRM.DeleteLink(rule[0], rule[1], rule[2:]...)
}
if err != nil {
return err
}
}
return nil
}
func (ast *Assertion) buildConditionalRoleLinks(condRM rbac.ConditionalRoleManager) error {
ast.CondRM = condRM
count := strings.Count(ast.Value, "_")
if count < 2 {
return errors.New("the number of \"_\" in role definition should be at least 2")
}
for _, rule := range ast.Policy {
if len(rule) < count {
return errors.New("grouping policy elements do not meet role definition")
}
if len(rule) > count {
rule = rule[:count]
}
domainRule := rule[2:len(ast.Tokens)]
err := ast.addConditionalRoleLink(rule, domainRule)
if err != nil {
return err
}
}
return nil
}
// addConditionalRoleLink adds Link to rbac.ConditionalRoleManager and sets the parameters for LinkConditionFunc.
func (ast *Assertion) addConditionalRoleLink(rule []string, domainRule []string) error {
var err error
if len(domainRule) == 0 {
err = ast.CondRM.AddLink(rule[0], rule[1])
if err == nil {
ast.CondRM.SetLinkConditionFuncParams(rule[0], rule[1], rule[len(ast.Tokens):]...)
}
} else {
domain := domainRule[0]
err = ast.CondRM.AddLink(rule[0], rule[1], domain)
if err == nil {
ast.CondRM.SetDomainLinkConditionFuncParams(rule[0], rule[1], domain, rule[len(ast.Tokens):]...)
}
}
return err
}
func (ast *Assertion) setLogger(logger log.Logger) {
ast.logger = logger
}
func (ast *Assertion) copy() *Assertion {
tokens := append([]string(nil), ast.Tokens...)
policy := make([][]string, len(ast.Policy))
for i, p := range ast.Policy {
policy[i] = append(policy[i], p...)
}
policyMap := make(map[string]int)
for k, v := range ast.PolicyMap {
policyMap[k] = v
}
newAst := &Assertion{
Key: ast.Key,
Value: ast.Value,
PolicyMap: policyMap,
Tokens: tokens,
Policy: policy,
FieldIndexMap: ast.FieldIndexMap,
}
return newAst
}

66
vendor/github.com/casbin/casbin/v2/model/function.go generated vendored
View File

@@ -1,66 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package model
import (
"sync"
"github.com/casbin/casbin/v2/util"
"github.com/casbin/govaluate"
)
// FunctionMap represents the collection of Function.
type FunctionMap struct {
fns *sync.Map
}
// [string]govaluate.ExpressionFunction
// AddFunction adds an expression function.
func (fm *FunctionMap) AddFunction(name string, function govaluate.ExpressionFunction) {
fm.fns.LoadOrStore(name, function)
}
// LoadFunctionMap loads an initial function map.
func LoadFunctionMap() FunctionMap {
fm := &FunctionMap{}
fm.fns = &sync.Map{}
fm.AddFunction("keyMatch", util.KeyMatchFunc)
fm.AddFunction("keyGet", util.KeyGetFunc)
fm.AddFunction("keyMatch2", util.KeyMatch2Func)
fm.AddFunction("keyGet2", util.KeyGet2Func)
fm.AddFunction("keyMatch3", util.KeyMatch3Func)
fm.AddFunction("keyGet3", util.KeyGet3Func)
fm.AddFunction("keyMatch4", util.KeyMatch4Func)
fm.AddFunction("keyMatch5", util.KeyMatch5Func)
fm.AddFunction("regexMatch", util.RegexMatchFunc)
fm.AddFunction("ipMatch", util.IPMatchFunc)
fm.AddFunction("globMatch", util.GlobMatchFunc)
return *fm
}
// GetFunctions return a map with all the functions.
func (fm *FunctionMap) GetFunctions() map[string]govaluate.ExpressionFunction {
ret := make(map[string]govaluate.ExpressionFunction)
fm.fns.Range(func(k interface{}, v interface{}) bool {
ret[k.(string)] = v.(govaluate.ExpressionFunction)
return true
})
return ret
}

434
vendor/github.com/casbin/casbin/v2/model/model.go generated vendored
View File

@@ -1,434 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package model
import (
"container/list"
"errors"
"fmt"
"regexp"
"sort"
"strconv"
"strings"
"github.com/casbin/casbin/v2/config"
"github.com/casbin/casbin/v2/constant"
"github.com/casbin/casbin/v2/log"
"github.com/casbin/casbin/v2/util"
)
// Model represents the whole access control model.
type Model map[string]AssertionMap
// AssertionMap is the collection of assertions, can be "r", "p", "g", "e", "m".
type AssertionMap map[string]*Assertion
const defaultDomain string = ""
const defaultSeparator = "::"
var sectionNameMap = map[string]string{
"r": "request_definition",
"p": "policy_definition",
"g": "role_definition",
"e": "policy_effect",
"m": "matchers",
}
// Minimal required sections for a model to be valid.
var requiredSections = []string{"r", "p", "e", "m"}
func loadAssertion(model Model, cfg config.ConfigInterface, sec string, key string) bool {
value := cfg.String(sectionNameMap[sec] + "::" + key)
return model.AddDef(sec, key, value)
}
var paramsRegex = regexp.MustCompile(`\((.*?)\)`)
// getParamsToken Get ParamsToken from Assertion.Value.
func getParamsToken(value string) []string {
paramsString := paramsRegex.FindString(value)
if paramsString == "" {
return nil
}
paramsString = strings.TrimSuffix(strings.TrimPrefix(paramsString, "("), ")")
return strings.Split(paramsString, ",")
}
// AddDef adds an assertion to the model.
func (model Model) AddDef(sec string, key string, value string) bool {
if value == "" {
return false
}
ast := Assertion{}
ast.Key = key
ast.Value = value
ast.PolicyMap = make(map[string]int)
ast.FieldIndexMap = make(map[string]int)
ast.setLogger(model.GetLogger())
if sec == "r" || sec == "p" {
ast.Tokens = strings.Split(ast.Value, ",")
for i := range ast.Tokens {
ast.Tokens[i] = key + "_" + strings.TrimSpace(ast.Tokens[i])
}
} else if sec == "g" {
ast.ParamsTokens = getParamsToken(ast.Value)
ast.Tokens = strings.Split(ast.Value, ",")
ast.Tokens = ast.Tokens[:len(ast.Tokens)-len(ast.ParamsTokens)]
} else {
ast.Value = util.RemoveComments(util.EscapeAssertion(ast.Value))
}
if sec == "m" && strings.Contains(ast.Value, "in") {
ast.Value = strings.Replace(strings.Replace(ast.Value, "[", "(", -1), "]", ")", -1)
}
_, ok := model[sec]
if !ok {
model[sec] = make(AssertionMap)
}
model[sec][key] = &ast
return true
}
func getKeySuffix(i int) string {
if i == 1 {
return ""
}
return strconv.Itoa(i)
}
func loadSection(model Model, cfg config.ConfigInterface, sec string) {
i := 1
for {
if !loadAssertion(model, cfg, sec, sec+getKeySuffix(i)) {
break
} else {
i++
}
}
}
// SetLogger sets the model's logger.
func (model Model) SetLogger(logger log.Logger) {
for _, astMap := range model {
for _, ast := range astMap {
ast.logger = logger
}
}
model["logger"] = AssertionMap{"logger": &Assertion{logger: logger}}
}
// GetLogger returns the model's logger.
func (model Model) GetLogger() log.Logger {
return model["logger"]["logger"].logger
}
// NewModel creates an empty model.
func NewModel() Model {
m := make(Model)
m.SetLogger(&log.DefaultLogger{})
return m
}
// NewModelFromFile creates a model from a .CONF file.
func NewModelFromFile(path string) (Model, error) {
m := NewModel()
err := m.LoadModel(path)
if err != nil {
return nil, err
}
return m, nil
}
// NewModelFromString creates a model from a string which contains model text.
func NewModelFromString(text string) (Model, error) {
m := NewModel()
err := m.LoadModelFromText(text)
if err != nil {
return nil, err
}
return m, nil
}
// LoadModel loads the model from model CONF file.
func (model Model) LoadModel(path string) error {
cfg, err := config.NewConfig(path)
if err != nil {
return err
}
return model.loadModelFromConfig(cfg)
}
// LoadModelFromText loads the model from the text.
func (model Model) LoadModelFromText(text string) error {
cfg, err := config.NewConfigFromText(text)
if err != nil {
return err
}
return model.loadModelFromConfig(cfg)
}
func (model Model) loadModelFromConfig(cfg config.ConfigInterface) error {
for s := range sectionNameMap {
loadSection(model, cfg, s)
}
ms := make([]string, 0)
for _, rs := range requiredSections {
if !model.hasSection(rs) {
ms = append(ms, sectionNameMap[rs])
}
}
if len(ms) > 0 {
return fmt.Errorf("missing required sections: %s", strings.Join(ms, ","))
}
return nil
}
func (model Model) hasSection(sec string) bool {
section := model[sec]
return section != nil
}
func (model Model) GetAssertion(sec string, ptype string) (*Assertion, error) {
if model[sec] == nil {
return nil, fmt.Errorf("missing required section %s", sec)
}
if model[sec][ptype] == nil {
return nil, fmt.Errorf("missiong required definition %s in section %s", ptype, sec)
}
return model[sec][ptype], nil
}
// PrintModel prints the model to the log.
func (model Model) PrintModel() {
if !model.GetLogger().IsEnabled() {
return
}
var modelInfo [][]string
for k, v := range model {
if k == "logger" {
continue
}
for i, j := range v {
modelInfo = append(modelInfo, []string{k, i, j.Value})
}
}
model.GetLogger().LogModel(modelInfo)
}
func (model Model) SortPoliciesBySubjectHierarchy() error {
if model["e"]["e"].Value != constant.SubjectPriorityEffect {
return nil
}
g, err := model.GetAssertion("g", "g")
if err != nil {
return err
}
subIndex := 0
for ptype, assertion := range model["p"] {
domainIndex, err := model.GetFieldIndex(ptype, constant.DomainIndex)
if err != nil {
domainIndex = -1
}
policies := assertion.Policy
subjectHierarchyMap, err := getSubjectHierarchyMap(g.Policy)
if err != nil {
return err
}
sort.SliceStable(policies, func(i, j int) bool {
domain1, domain2 := defaultDomain, defaultDomain
if domainIndex != -1 {
domain1 = policies[i][domainIndex]
domain2 = policies[j][domainIndex]
}
name1, name2 := getNameWithDomain(domain1, policies[i][subIndex]), getNameWithDomain(domain2, policies[j][subIndex])
p1 := subjectHierarchyMap[name1]
p2 := subjectHierarchyMap[name2]
return p1 > p2
})
for i, policy := range assertion.Policy {
assertion.PolicyMap[strings.Join(policy, ",")] = i
}
}
return nil
}
func getSubjectHierarchyMap(policies [][]string) (map[string]int, error) {
subjectHierarchyMap := make(map[string]int)
// Tree structure of role
policyMap := make(map[string][]string)
for _, policy := range policies {
if len(policy) < 2 {
return nil, errors.New("policy g expect 2 more params")
}
domain := defaultDomain
if len(policy) != 2 {
domain = policy[2]
}
child := getNameWithDomain(domain, policy[0])
parent := getNameWithDomain(domain, policy[1])
policyMap[parent] = append(policyMap[parent], child)
if _, ok := subjectHierarchyMap[child]; !ok {
subjectHierarchyMap[child] = 0
}
if _, ok := subjectHierarchyMap[parent]; !ok {
subjectHierarchyMap[parent] = 0
}
subjectHierarchyMap[child] = 1
}
// Use queues for levelOrder
queue := list.New()
for k, v := range subjectHierarchyMap {
root := k
if v != 0 {
continue
}
lv := 0
queue.PushBack(root)
for queue.Len() != 0 {
sz := queue.Len()
for i := 0; i < sz; i++ {
node := queue.Front()
queue.Remove(node)
nodeValue := node.Value.(string)
subjectHierarchyMap[nodeValue] = lv
if _, ok := policyMap[nodeValue]; ok {
for _, child := range policyMap[nodeValue] {
queue.PushBack(child)
}
}
}
lv++
}
}
return subjectHierarchyMap, nil
}
func getNameWithDomain(domain string, name string) string {
return domain + defaultSeparator + name
}
func (model Model) SortPoliciesByPriority() error {
for ptype, assertion := range model["p"] {
priorityIndex, err := model.GetFieldIndex(ptype, constant.PriorityIndex)
if err != nil {
continue
}
policies := assertion.Policy
sort.SliceStable(policies, func(i, j int) bool {
p1, err := strconv.Atoi(policies[i][priorityIndex])
if err != nil {
return true
}
p2, err := strconv.Atoi(policies[j][priorityIndex])
if err != nil {
return true
}
return p1 < p2
})
for i, policy := range assertion.Policy {
assertion.PolicyMap[strings.Join(policy, ",")] = i
}
}
return nil
}
func (model Model) ToText() string {
tokenPatterns := make(map[string]string)
pPattern, rPattern := regexp.MustCompile("^p_"), regexp.MustCompile("^r_")
for _, ptype := range []string{"r", "p"} {
for _, token := range model[ptype][ptype].Tokens {
tokenPatterns[token] = rPattern.ReplaceAllString(pPattern.ReplaceAllString(token, "p."), "r.")
}
}
if strings.Contains(model["e"]["e"].Value, "p_eft") {
tokenPatterns["p_eft"] = "p.eft"
}
s := strings.Builder{}
writeString := func(sec string) {
for ptype := range model[sec] {
value := model[sec][ptype].Value
for tokenPattern, newToken := range tokenPatterns {
value = strings.Replace(value, tokenPattern, newToken, -1)
}
s.WriteString(fmt.Sprintf("%s = %s\n", sec, value))
}
}
s.WriteString("[request_definition]\n")
writeString("r")
s.WriteString("[policy_definition]\n")
writeString("p")
if _, ok := model["g"]; ok {
s.WriteString("[role_definition]\n")
for ptype := range model["g"] {
s.WriteString(fmt.Sprintf("%s = %s\n", ptype, model["g"][ptype].Value))
}
}
s.WriteString("[policy_effect]\n")
writeString("e")
s.WriteString("[matchers]\n")
writeString("m")
return s.String()
}
func (model Model) Copy() Model {
newModel := NewModel()
for sec, m := range model {
newAstMap := make(AssertionMap)
for ptype, ast := range m {
newAstMap[ptype] = ast.copy()
}
newModel[sec] = newAstMap
}
newModel.SetLogger(model.GetLogger())
return newModel
}
func (model Model) GetFieldIndex(ptype string, field string) (int, error) {
assertion := model["p"][ptype]
if index, ok := assertion.FieldIndexMap[field]; ok {
return index, nil
}
pattern := fmt.Sprintf("%s_"+field, ptype)
index := -1
for i, token := range assertion.Tokens {
if token == pattern {
index = i
break
}
}
if index == -1 {
return index, fmt.Errorf(field + " index is not set, please use enforcer.SetFieldIndex() to set index")
}
assertion.FieldIndexMap[field] = index
return index, nil
}

482
vendor/github.com/casbin/casbin/v2/model/policy.go generated vendored
View File

@@ -1,482 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package model
import (
"fmt"
"strconv"
"strings"
"github.com/casbin/casbin/v2/constant"
"github.com/casbin/casbin/v2/rbac"
"github.com/casbin/casbin/v2/util"
)
type (
PolicyOp int
)
const (
PolicyAdd PolicyOp = iota
PolicyRemove
)
const DefaultSep = ","
// BuildIncrementalRoleLinks provides incremental build the role inheritance relations.
func (model Model) BuildIncrementalRoleLinks(rmMap map[string]rbac.RoleManager, op PolicyOp, sec string, ptype string, rules [][]string) error {
if sec == "g" && rmMap[ptype] != nil {
_, err := model.GetAssertion(sec, ptype)
if err != nil {
return err
}
return model[sec][ptype].buildIncrementalRoleLinks(rmMap[ptype], op, rules)
}
return nil
}
// BuildRoleLinks initializes the roles in RBAC.
func (model Model) BuildRoleLinks(rmMap map[string]rbac.RoleManager) error {
model.PrintPolicy()
for ptype, ast := range model["g"] {
if rm := rmMap[ptype]; rm != nil {
err := ast.buildRoleLinks(rm)
if err != nil {
return err
}
}
}
return nil
}
// BuildIncrementalConditionalRoleLinks provides incremental build the role inheritance relations.
func (model Model) BuildIncrementalConditionalRoleLinks(condRmMap map[string]rbac.ConditionalRoleManager, op PolicyOp, sec string, ptype string, rules [][]string) error {
if sec == "g" && condRmMap[ptype] != nil {
_, err := model.GetAssertion(sec, ptype)
if err != nil {
return err
}
return model[sec][ptype].buildIncrementalConditionalRoleLinks(condRmMap[ptype], op, rules)
}
return nil
}
// BuildConditionalRoleLinks initializes the roles in RBAC.
func (model Model) BuildConditionalRoleLinks(condRmMap map[string]rbac.ConditionalRoleManager) error {
model.PrintPolicy()
for ptype, ast := range model["g"] {
if condRm := condRmMap[ptype]; condRm != nil {
err := ast.buildConditionalRoleLinks(condRm)
if err != nil {
return err
}
}
}
return nil
}
// PrintPolicy prints the policy to log.
func (model Model) PrintPolicy() {
if !model.GetLogger().IsEnabled() {
return
}
policy := make(map[string][][]string)
for key, ast := range model["p"] {
value, found := policy[key]
if found {
value = append(value, ast.Policy...)
policy[key] = value
} else {
policy[key] = ast.Policy
}
}
for key, ast := range model["g"] {
value, found := policy[key]
if found {
value = append(value, ast.Policy...)
policy[key] = value
} else {
policy[key] = ast.Policy
}
}
model.GetLogger().LogPolicy(policy)
}
// ClearPolicy clears all current policy.
func (model Model) ClearPolicy() {
for _, ast := range model["p"] {
ast.Policy = nil
ast.PolicyMap = map[string]int{}
}
for _, ast := range model["g"] {
ast.Policy = nil
ast.PolicyMap = map[string]int{}
}
}
// GetPolicy gets all rules in a policy.
func (model Model) GetPolicy(sec string, ptype string) ([][]string, error) {
_, err := model.GetAssertion(sec, ptype)
if err != nil {
return nil, err
}
return model[sec][ptype].Policy, nil
}
// GetFilteredPolicy gets rules based on field filters from a policy.
func (model Model) GetFilteredPolicy(sec string, ptype string, fieldIndex int, fieldValues ...string) ([][]string, error) {
_, err := model.GetAssertion(sec, ptype)
if err != nil {
return nil, err
}
res := [][]string{}
for _, rule := range model[sec][ptype].Policy {
matched := true
for i, fieldValue := range fieldValues {
if fieldValue != "" && rule[fieldIndex+i] != fieldValue {
matched = false
break
}
}
if matched {
res = append(res, rule)
}
}
return res, nil
}
// HasPolicyEx determines whether a model has the specified policy rule with error.
func (model Model) HasPolicyEx(sec string, ptype string, rule []string) (bool, error) {
assertion, err := model.GetAssertion(sec, ptype)
if err != nil {
return false, err
}
switch sec {
case "p":
if len(rule) != len(assertion.Tokens) {
return false, fmt.Errorf(
"invalid policy rule size: expected %d, got %d, rule: %v",
len(model["p"][ptype].Tokens),
len(rule),
rule)
}
case "g":
if len(rule) < len(assertion.Tokens) {
return false, fmt.Errorf(
"invalid policy rule size: expected %d, got %d, rule: %v",
len(model["g"][ptype].Tokens),
len(rule),
rule)
}
}
return model.HasPolicy(sec, ptype, rule)
}
// HasPolicy determines whether a model has the specified policy rule.
func (model Model) HasPolicy(sec string, ptype string, rule []string) (bool, error) {
_, err := model.GetAssertion(sec, ptype)
if err != nil {
return false, err
}
_, ok := model[sec][ptype].PolicyMap[strings.Join(rule, DefaultSep)]
return ok, nil
}
// HasPolicies determines whether a model has any of the specified policies. If one is found we return true.
func (model Model) HasPolicies(sec string, ptype string, rules [][]string) (bool, error) {
for i := 0; i < len(rules); i++ {
ok, err := model.HasPolicy(sec, ptype, rules[i])
if err != nil {
return false, err
}
if ok {
return true, nil
}
}
return false, nil
}
// AddPolicy adds a policy rule to the model.
func (model Model) AddPolicy(sec string, ptype string, rule []string) error {
assertion, err := model.GetAssertion(sec, ptype)
if err != nil {
return err
}
assertion.Policy = append(assertion.Policy, rule)
assertion.PolicyMap[strings.Join(rule, DefaultSep)] = len(model[sec][ptype].Policy) - 1
hasPriority := false
if _, ok := assertion.FieldIndexMap[constant.PriorityIndex]; ok {
hasPriority = true
}
if sec == "p" && hasPriority {
if idxInsert, err := strconv.Atoi(rule[assertion.FieldIndexMap[constant.PriorityIndex]]); err == nil {
i := len(assertion.Policy) - 1
for ; i > 0; i-- {
idx, err := strconv.Atoi(assertion.Policy[i-1][assertion.FieldIndexMap[constant.PriorityIndex]])
if err != nil || idx <= idxInsert {
break
}
assertion.Policy[i] = assertion.Policy[i-1]
assertion.PolicyMap[strings.Join(assertion.Policy[i-1], DefaultSep)]++
}
assertion.Policy[i] = rule
assertion.PolicyMap[strings.Join(rule, DefaultSep)] = i
}
}
return nil
}
// AddPolicies adds policy rules to the model.
func (model Model) AddPolicies(sec string, ptype string, rules [][]string) error {
_, err := model.AddPoliciesWithAffected(sec, ptype, rules)
return err
}
// AddPoliciesWithAffected adds policy rules to the model, and returns affected rules.
func (model Model) AddPoliciesWithAffected(sec string, ptype string, rules [][]string) ([][]string, error) {
_, err := model.GetAssertion(sec, ptype)
if err != nil {
return nil, err
}
var affected [][]string
for _, rule := range rules {
hashKey := strings.Join(rule, DefaultSep)
_, ok := model[sec][ptype].PolicyMap[hashKey]
if ok {
continue
}
affected = append(affected, rule)
err = model.AddPolicy(sec, ptype, rule)
if err != nil {
return affected, err
}
}
return affected, err
}
// RemovePolicy removes a policy rule from the model.
// Deprecated: Using AddPoliciesWithAffected instead.
func (model Model) RemovePolicy(sec string, ptype string, rule []string) (bool, error) {
_, err := model.GetAssertion(sec, ptype)
if err != nil {
return false, err
}
index, ok := model[sec][ptype].PolicyMap[strings.Join(rule, DefaultSep)]
if !ok {
return false, err
}
model[sec][ptype].Policy = append(model[sec][ptype].Policy[:index], model[sec][ptype].Policy[index+1:]...)
delete(model[sec][ptype].PolicyMap, strings.Join(rule, DefaultSep))
for i := index; i < len(model[sec][ptype].Policy); i++ {
model[sec][ptype].PolicyMap[strings.Join(model[sec][ptype].Policy[i], DefaultSep)] = i
}
return true, err
}
// UpdatePolicy updates a policy rule from the model.
func (model Model) UpdatePolicy(sec string, ptype string, oldRule []string, newRule []string) (bool, error) {
_, err := model.GetAssertion(sec, ptype)
if err != nil {
return false, err
}
oldPolicy := strings.Join(oldRule, DefaultSep)
index, ok := model[sec][ptype].PolicyMap[oldPolicy]
if !ok {
return false, nil
}
model[sec][ptype].Policy[index] = newRule
delete(model[sec][ptype].PolicyMap, oldPolicy)
model[sec][ptype].PolicyMap[strings.Join(newRule, DefaultSep)] = index
return true, nil
}
// UpdatePolicies updates a policy rule from the model.
func (model Model) UpdatePolicies(sec string, ptype string, oldRules, newRules [][]string) (bool, error) {
_, err := model.GetAssertion(sec, ptype)
if err != nil {
return false, err
}
rollbackFlag := false
// index -> []{oldIndex, newIndex}
modifiedRuleIndex := make(map[int][]int)
// rollback
defer func() {
if rollbackFlag {
for index, oldNewIndex := range modifiedRuleIndex {
model[sec][ptype].Policy[index] = oldRules[oldNewIndex[0]]
oldPolicy := strings.Join(oldRules[oldNewIndex[0]], DefaultSep)
newPolicy := strings.Join(newRules[oldNewIndex[1]], DefaultSep)
delete(model[sec][ptype].PolicyMap, newPolicy)
model[sec][ptype].PolicyMap[oldPolicy] = index
}
}
}()
newIndex := 0
for oldIndex, oldRule := range oldRules {
oldPolicy := strings.Join(oldRule, DefaultSep)
index, ok := model[sec][ptype].PolicyMap[oldPolicy]
if !ok {
rollbackFlag = true
return false, nil
}
model[sec][ptype].Policy[index] = newRules[newIndex]
delete(model[sec][ptype].PolicyMap, oldPolicy)
model[sec][ptype].PolicyMap[strings.Join(newRules[newIndex], DefaultSep)] = index
modifiedRuleIndex[index] = []int{oldIndex, newIndex}
newIndex++
}
return true, nil
}
// RemovePolicies removes policy rules from the model.
func (model Model) RemovePolicies(sec string, ptype string, rules [][]string) (bool, error) {
affected, err := model.RemovePoliciesWithAffected(sec, ptype, rules)
return len(affected) != 0, err
}
// RemovePoliciesWithAffected removes policy rules from the model, and returns affected rules.
func (model Model) RemovePoliciesWithAffected(sec string, ptype string, rules [][]string) ([][]string, error) {
_, err := model.GetAssertion(sec, ptype)
if err != nil {
return nil, err
}
var affected [][]string
for _, rule := range rules {
index, ok := model[sec][ptype].PolicyMap[strings.Join(rule, DefaultSep)]
if !ok {
continue
}
affected = append(affected, rule)
model[sec][ptype].Policy = append(model[sec][ptype].Policy[:index], model[sec][ptype].Policy[index+1:]...)
delete(model[sec][ptype].PolicyMap, strings.Join(rule, DefaultSep))
for i := index; i < len(model[sec][ptype].Policy); i++ {
model[sec][ptype].PolicyMap[strings.Join(model[sec][ptype].Policy[i], DefaultSep)] = i
}
}
return affected, nil
}
// RemoveFilteredPolicy removes policy rules based on field filters from the model.
func (model Model) RemoveFilteredPolicy(sec string, ptype string, fieldIndex int, fieldValues ...string) (bool, [][]string, error) {
_, err := model.GetAssertion(sec, ptype)
if err != nil {
return false, nil, err
}
var tmp [][]string
var effects [][]string
res := false
model[sec][ptype].PolicyMap = map[string]int{}
for _, rule := range model[sec][ptype].Policy {
matched := true
for i, fieldValue := range fieldValues {
if fieldValue != "" && rule[fieldIndex+i] != fieldValue {
matched = false
break
}
}
if matched {
effects = append(effects, rule)
} else {
tmp = append(tmp, rule)
model[sec][ptype].PolicyMap[strings.Join(rule, DefaultSep)] = len(tmp) - 1
}
}
if len(tmp) != len(model[sec][ptype].Policy) {
model[sec][ptype].Policy = tmp
res = true
}
return res, effects, nil
}
// GetValuesForFieldInPolicy gets all values for a field for all rules in a policy, duplicated values are removed.
func (model Model) GetValuesForFieldInPolicy(sec string, ptype string, fieldIndex int) ([]string, error) {
values := []string{}
_, err := model.GetAssertion(sec, ptype)
if err != nil {
return nil, err
}
for _, rule := range model[sec][ptype].Policy {
values = append(values, rule[fieldIndex])
}
util.ArrayRemoveDuplicates(&values)
return values, nil
}
// GetValuesForFieldInPolicyAllTypes gets all values for a field for all rules in a policy of all ptypes, duplicated values are removed.
func (model Model) GetValuesForFieldInPolicyAllTypes(sec string, fieldIndex int) ([]string, error) {
values := []string{}
for ptype := range model[sec] {
v, err := model.GetValuesForFieldInPolicy(sec, ptype, fieldIndex)
if err != nil {
return nil, err
}
values = append(values, v...)
}
util.ArrayRemoveDuplicates(&values)
return values, nil
}
// GetValuesForFieldInPolicyAllTypesByName gets all values for a field for all rules in a policy of all ptypes, duplicated values are removed.
func (model Model) GetValuesForFieldInPolicyAllTypesByName(sec string, field string) ([]string, error) {
values := []string{}
for ptype := range model[sec] {
// GetFieldIndex will return (-1, err) if field is not found, ignore it
index, err := model.GetFieldIndex(ptype, field)
if err != nil {
continue
}
v, err := model.GetValuesForFieldInPolicy(sec, ptype, index)
if err != nil {
return nil, err
}
values = append(values, v...)
}
util.ArrayRemoveDuplicates(&values)
return values, nil
}

74
vendor/github.com/casbin/casbin/v2/persist/adapter.go generated vendored
View File

@@ -1,74 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package persist
import (
"encoding/csv"
"strings"
"github.com/casbin/casbin/v2/model"
)
// LoadPolicyLine loads a text line as a policy rule to model.
func LoadPolicyLine(line string, m model.Model) error {
if line == "" || strings.HasPrefix(line, "#") {
return nil
}
r := csv.NewReader(strings.NewReader(line))
r.Comma = ','
r.Comment = '#'
r.TrimLeadingSpace = true
tokens, err := r.Read()
if err != nil {
return err
}
return LoadPolicyArray(tokens, m)
}
// LoadPolicyArray loads a policy rule to model.
func LoadPolicyArray(rule []string, m model.Model) error {
key := rule[0]
sec := key[:1]
ok, err := m.HasPolicyEx(sec, key, rule[1:])
if err != nil {
return err
}
if ok {
return nil // skip duplicated policy
}
m.AddPolicy(sec, key, rule[1:])
return nil
}
// Adapter is the interface for Casbin adapters.
type Adapter interface {
// LoadPolicy loads all policy rules from the storage.
LoadPolicy(model model.Model) error
// SavePolicy saves all policy rules to the storage.
SavePolicy(model model.Model) error
// AddPolicy adds a policy rule to the storage.
// This is part of the Auto-Save feature.
AddPolicy(sec string, ptype string, rule []string) error
// RemovePolicy removes a policy rule from the storage.
// This is part of the Auto-Save feature.
RemovePolicy(sec string, ptype string, rule []string) error
// RemoveFilteredPolicy removes policy rules that match the filter from the storage.
// This is part of the Auto-Save feature.
RemoveFilteredPolicy(sec string, ptype string, fieldIndex int, fieldValues ...string) error
}

39
vendor/github.com/casbin/casbin/v2/persist/adapter_context.go generated vendored
View File

@@ -1,39 +0,0 @@
// Copyright 2023 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package persist
import (
"context"
"github.com/casbin/casbin/v2/model"
)
// ContextAdapter provides a context-aware interface for Casbin adapters.
type ContextAdapter interface {
// LoadPolicyCtx loads all policy rules from the storage with context.
LoadPolicyCtx(ctx context.Context, model model.Model) error
// SavePolicyCtx saves all policy rules to the storage with context.
SavePolicyCtx(ctx context.Context, model model.Model) error
// AddPolicyCtx adds a policy rule to the storage with context.
// This is part of the Auto-Save feature.
AddPolicyCtx(ctx context.Context, sec string, ptype string, rule []string) error
// RemovePolicyCtx removes a policy rule from the storage with context.
// This is part of the Auto-Save feature.
RemovePolicyCtx(ctx context.Context, sec string, ptype string, rule []string) error
// RemoveFilteredPolicyCtx removes policy rules that match the filter from the storage with context.
// This is part of the Auto-Save feature.
RemoveFilteredPolicyCtx(ctx context.Context, sec string, ptype string, fieldIndex int, fieldValues ...string) error
}

29
vendor/github.com/casbin/casbin/v2/persist/adapter_filtered.go generated vendored
View File

@@ -1,29 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package persist
import (
"github.com/casbin/casbin/v2/model"
)
// FilteredAdapter is the interface for Casbin adapters supporting filtered policies.
type FilteredAdapter interface {
Adapter
// LoadFilteredPolicy loads only policy rules that match the filter.
LoadFilteredPolicy(model model.Model, filter interface{}) error
// IsFiltered returns true if the loaded policy has been filtered.
IsFiltered() bool
}

31
vendor/github.com/casbin/casbin/v2/persist/adapter_filtered_context.go generated vendored
View File

@@ -1,31 +0,0 @@
// Copyright 2024 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package persist
import (
"context"
"github.com/casbin/casbin/v2/model"
)
// ContextFilteredAdapter is the context-aware interface for Casbin adapters supporting filtered policies.
type ContextFilteredAdapter interface {
ContextAdapter
// LoadFilteredPolicyCtx loads only policy rules that match the filter.
LoadFilteredPolicyCtx(ctx context.Context, model model.Model, filter interface{}) error
// IsFilteredCtx returns true if the loaded policy has been filtered.
IsFilteredCtx(ctx context.Context) bool
}

26
vendor/github.com/casbin/casbin/v2/persist/batch_adapter.go generated vendored
View File

@@ -1,26 +0,0 @@
// Copyright 2020 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package persist
// BatchAdapter is the interface for Casbin adapters with multiple add and remove policy functions.
type BatchAdapter interface {
Adapter
// AddPolicies adds policy rules to the storage.
// This is part of the Auto-Save feature.
AddPolicies(sec string, ptype string, rules [][]string) error
// RemovePolicies removes policy rules from the storage.
// This is part of the Auto-Save feature.
RemovePolicies(sec string, ptype string, rules [][]string) error
}

29
vendor/github.com/casbin/casbin/v2/persist/batch_adapter_context.go generated vendored
View File

@@ -1,29 +0,0 @@
// Copyright 2024 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package persist
import "context"
// ContextBatchAdapter is the context-aware interface for Casbin adapters with multiple add and remove policy functions.
type ContextBatchAdapter interface {
ContextAdapter
// AddPoliciesCtx adds policy rules to the storage.
// This is part of the Auto-Save feature.
AddPoliciesCtx(ctx context.Context, sec string, ptype string, rules [][]string) error
// RemovePoliciesCtx removes policy rules from the storage.
// This is part of the Auto-Save feature.
RemovePoliciesCtx(ctx context.Context, sec string, ptype string, rules [][]string) error
}

39
vendor/github.com/casbin/casbin/v2/persist/cache/cache.go generated vendored
View File

@@ -1,39 +0,0 @@
// Copyright 2021 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package cache
import "errors"
var ErrNoSuchKey = errors.New("there's no such key existing in cache")
type Cache interface {
// Set puts key and value into cache.
// First parameter for extra should be time.Time object denoting expected survival time.
// If survival time equals 0 or less, the key will always be survival.
Set(key string, value bool, extra ...interface{}) error
// Get returns result for key,
// If there's no such key existing in cache,
// ErrNoSuchKey will be returned.
Get(key string) (bool, error)
// Delete will remove the specific key in cache.
// If there's no such key existing in cache,
// ErrNoSuchKey will be returned.
Delete(key string) error
// Clear deletes all the items stored in cache.
Clear() error
}

86
vendor/github.com/casbin/casbin/v2/persist/cache/cache_sync.go generated vendored
View File

@@ -1,86 +0,0 @@
// Copyright 2021 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package cache
import (
"sync"
"time"
)
type SyncCache struct {
cache DefaultCache
sync.RWMutex
}
func (c *SyncCache) Set(key string, value bool, extra ...interface{}) error {
ttl := time.Duration(-1)
if len(extra) > 0 {
ttl = extra[0].(time.Duration)
}
c.Lock()
defer c.Unlock()
c.cache[key] = cacheItem{
value: value,
expiresAt: time.Now().Add(ttl),
ttl: ttl,
}
return nil
}
func (c *SyncCache) Get(key string) (bool, error) {
c.RLock()
res, ok := c.cache[key]
c.RUnlock()
if !ok {
return false, ErrNoSuchKey
} else {
if res.ttl > 0 && time.Now().After(res.expiresAt) {
c.Lock()
defer c.Unlock()
delete(c.cache, key)
return false, ErrNoSuchKey
}
return res.value, nil
}
}
func (c *SyncCache) Delete(key string) error {
c.RLock()
_, ok := c.cache[key]
c.RUnlock()
if !ok {
return ErrNoSuchKey
} else {
c.Lock()
defer c.Unlock()
delete(c.cache, key)
return nil
}
}
func (c *SyncCache) Clear() error {
c.Lock()
c.cache = make(DefaultCache)
c.Unlock()
return nil
}
func NewSyncCache() (Cache, error) {
cache := SyncCache{
make(DefaultCache),
sync.RWMutex{},
}
return &cache, nil
}

69
vendor/github.com/casbin/casbin/v2/persist/cache/default-cache.go generated vendored
View File

@@ -1,69 +0,0 @@
// Copyright 2021 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package cache
import "time"
type cacheItem struct {
value bool
expiresAt time.Time
ttl time.Duration
}
type DefaultCache map[string]cacheItem
func (c *DefaultCache) Set(key string, value bool, extra ...interface{}) error {
ttl := time.Duration(-1)
if len(extra) > 0 {
ttl = extra[0].(time.Duration)
}
(*c)[key] = cacheItem{
value: value,
expiresAt: time.Now().Add(ttl),
ttl: ttl,
}
return nil
}
func (c *DefaultCache) Get(key string) (bool, error) {
if res, ok := (*c)[key]; !ok {
return false, ErrNoSuchKey
} else {
if res.ttl > 0 && time.Now().After(res.expiresAt) {
delete(*c, key)
return false, ErrNoSuchKey
}
return res.value, nil
}
}
func (c *DefaultCache) Delete(key string) error {
if _, ok := (*c)[key]; !ok {
return ErrNoSuchKey
} else {
delete(*c, key)
return nil
}
}
func (c *DefaultCache) Clear() error {
*c = make(DefaultCache)
return nil
}
func NewDefaultCache() (Cache, error) {
cache := make(DefaultCache)
return &cache, nil
}

33
vendor/github.com/casbin/casbin/v2/persist/dispatcher.go generated vendored
View File

@@ -1,33 +0,0 @@
// Copyright 2020 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package persist
// Dispatcher is the interface for Casbin dispatcher.
type Dispatcher interface {
// AddPolicies adds policies rule to all instance.
AddPolicies(sec string, ptype string, rules [][]string) error
// RemovePolicies removes policies rule from all instance.
RemovePolicies(sec string, ptype string, rules [][]string) error
// RemoveFilteredPolicy removes policy rules that match the filter from all instance.
RemoveFilteredPolicy(sec string, ptype string, fieldIndex int, fieldValues ...string) error
// ClearPolicy clears all current policy in all instances
ClearPolicy() error
// UpdatePolicy updates policy rule from all instance.
UpdatePolicy(sec string, ptype string, oldRule, newRule []string) error
// UpdatePolicies updates some policy rules from all instance
UpdatePolicies(sec string, ptype string, oldrules, newRules [][]string) error
// UpdateFilteredPolicies deletes old rules and adds new rules.
UpdateFilteredPolicies(sec string, ptype string, oldRules [][]string, newRules [][]string) error
}

149
vendor/github.com/casbin/casbin/v2/persist/file-adapter/adapter.go generated vendored
View File

@@ -1,149 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package fileadapter
import (
"bufio"
"bytes"
"errors"
"os"
"strings"
"github.com/casbin/casbin/v2/model"
"github.com/casbin/casbin/v2/persist"
"github.com/casbin/casbin/v2/util"
)
// Adapter is the file adapter for Casbin.
// It can load policy from file or save policy to file.
type Adapter struct {
filePath string
}
func (a *Adapter) UpdatePolicy(sec string, ptype string, oldRule, newRule []string) error {
return errors.New("not implemented")
}
func (a *Adapter) UpdatePolicies(sec string, ptype string, oldRules, newRules [][]string) error {
return errors.New("not implemented")
}
func (a *Adapter) UpdateFilteredPolicies(sec string, ptype string, newRules [][]string, fieldIndex int, fieldValues ...string) ([][]string, error) {
return nil, errors.New("not implemented")
}
// NewAdapter is the constructor for Adapter.
func NewAdapter(filePath string) *Adapter {
return &Adapter{filePath: filePath}
}
// LoadPolicy loads all policy rules from the storage.
func (a *Adapter) LoadPolicy(model model.Model) error {
if a.filePath == "" {
return errors.New("invalid file path, file path cannot be empty")
}
return a.loadPolicyFile(model, persist.LoadPolicyLine)
}
// SavePolicy saves all policy rules to the storage.
func (a *Adapter) SavePolicy(model model.Model) error {
if a.filePath == "" {
return errors.New("invalid file path, file path cannot be empty")
}
var tmp bytes.Buffer
for ptype, ast := range model["p"] {
for _, rule := range ast.Policy {
tmp.WriteString(ptype + ", ")
tmp.WriteString(util.ArrayToString(rule))
tmp.WriteString("\n")
}
}
for ptype, ast := range model["g"] {
for _, rule := range ast.Policy {
tmp.WriteString(ptype + ", ")
tmp.WriteString(util.ArrayToString(rule))
tmp.WriteString("\n")
}
}
return a.savePolicyFile(strings.TrimRight(tmp.String(), "\n"))
}
func (a *Adapter) loadPolicyFile(model model.Model, handler func(string, model.Model) error) error {
f, err := os.Open(a.filePath)
if err != nil {
return err
}
defer f.Close()
scanner := bufio.NewScanner(f)
for scanner.Scan() {
line := strings.TrimSpace(scanner.Text())
err = handler(line, model)
if err != nil {
return err
}
}
return scanner.Err()
}
func (a *Adapter) savePolicyFile(text string) error {
f, err := os.Create(a.filePath)
if err != nil {
return err
}
w := bufio.NewWriter(f)
_, err = w.WriteString(text)
if err != nil {
return err
}
err = w.Flush()
if err != nil {
return err
}
return f.Close()
}
// AddPolicy adds a policy rule to the storage.
func (a *Adapter) AddPolicy(sec string, ptype string, rule []string) error {
return errors.New("not implemented")
}
// AddPolicies adds policy rules to the storage.
func (a *Adapter) AddPolicies(sec string, ptype string, rules [][]string) error {
return errors.New("not implemented")
}
// RemovePolicy removes a policy rule from the storage.
func (a *Adapter) RemovePolicy(sec string, ptype string, rule []string) error {
return errors.New("not implemented")
}
// RemovePolicies removes policy rules from the storage.
func (a *Adapter) RemovePolicies(sec string, ptype string, rules [][]string) error {
return errors.New("not implemented")
}
// RemoveFilteredPolicy removes policy rules that match the filter from the storage.
func (a *Adapter) RemoveFilteredPolicy(sec string, ptype string, fieldIndex int, fieldValues ...string) error {
return errors.New("not implemented")
}

156
vendor/github.com/casbin/casbin/v2/persist/file-adapter/adapter_filtered.go generated vendored
View File

@@ -1,156 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package fileadapter
import (
"bufio"
"errors"
"os"
"strings"
"github.com/casbin/casbin/v2/model"
"github.com/casbin/casbin/v2/persist"
)
// FilteredAdapter is the filtered file adapter for Casbin. It can load policy
// from file or save policy to file and supports loading of filtered policies.
type FilteredAdapter struct {
*Adapter
filtered bool
}
// Filter defines the filtering rules for a FilteredAdapter's policy. Empty values
// are ignored, but all others must match the filter.
type Filter struct {
P []string
G []string
G1 []string
G2 []string
G3 []string
G4 []string
G5 []string
}
// NewFilteredAdapter is the constructor for FilteredAdapter.
func NewFilteredAdapter(filePath string) *FilteredAdapter {
a := FilteredAdapter{}
a.filtered = true
a.Adapter = NewAdapter(filePath)
return &a
}
// LoadPolicy loads all policy rules from the storage.
func (a *FilteredAdapter) LoadPolicy(model model.Model) error {
a.filtered = false
return a.Adapter.LoadPolicy(model)
}
// LoadFilteredPolicy loads only policy rules that match the filter.
func (a *FilteredAdapter) LoadFilteredPolicy(model model.Model, filter interface{}) error {
if filter == nil {
return a.LoadPolicy(model)
}
if a.filePath == "" {
return errors.New("invalid file path, file path cannot be empty")
}
filterValue, ok := filter.(*Filter)
if !ok {
return errors.New("invalid filter type")
}
err := a.loadFilteredPolicyFile(model, filterValue, persist.LoadPolicyLine)
if err == nil {
a.filtered = true
}
return err
}
func (a *FilteredAdapter) loadFilteredPolicyFile(model model.Model, filter *Filter, handler func(string, model.Model) error) error {
f, err := os.Open(a.filePath)
if err != nil {
return err
}
defer f.Close()
scanner := bufio.NewScanner(f)
for scanner.Scan() {
line := strings.TrimSpace(scanner.Text())
if filterLine(line, filter) {
continue
}
err = handler(line, model)
if err != nil {
return err
}
}
return scanner.Err()
}
// IsFiltered returns true if the loaded policy has been filtered.
func (a *FilteredAdapter) IsFiltered() bool {
return a.filtered
}
// SavePolicy saves all policy rules to the storage.
func (a *FilteredAdapter) SavePolicy(model model.Model) error {
if a.filtered {
return errors.New("cannot save a filtered policy")
}
return a.Adapter.SavePolicy(model)
}
func filterLine(line string, filter *Filter) bool {
if filter == nil {
return false
}
p := strings.Split(line, ",")
if len(p) == 0 {
return true
}
var filterSlice []string
switch strings.TrimSpace(p[0]) {
case "p":
filterSlice = filter.P
case "g":
filterSlice = filter.G
case "g1":
filterSlice = filter.G1
case "g2":
filterSlice = filter.G2
case "g3":
filterSlice = filter.G3
case "g4":
filterSlice = filter.G4
case "g5":
filterSlice = filter.G5
}
return filterWords(p, filterSlice)
}
func filterWords(line []string, filter []string) bool {
if len(line) < len(filter)+1 {
return true
}
var skipLine bool
for i, v := range filter {
if len(v) > 0 && strings.TrimSpace(v) != strings.TrimSpace(line[i+1]) {
skipLine = true
break
}
}
return skipLine
}

122
vendor/github.com/casbin/casbin/v2/persist/file-adapter/adapter_mock.go generated vendored
View File

@@ -1,122 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package fileadapter
import (
"bufio"
"errors"
"io"
"os"
"strings"
"github.com/casbin/casbin/v2/model"
"github.com/casbin/casbin/v2/persist"
)
// AdapterMock is the file adapter for Casbin.
// It can load policy from file or save policy to file.
type AdapterMock struct {
filePath string
errorValue string
}
// NewAdapterMock is the constructor for AdapterMock.
func NewAdapterMock(filePath string) *AdapterMock {
a := AdapterMock{}
a.filePath = filePath
return &a
}
// LoadPolicy loads all policy rules from the storage.
func (a *AdapterMock) LoadPolicy(model model.Model) error {
err := a.loadPolicyFile(model, persist.LoadPolicyLine)
return err
}
// SavePolicy saves all policy rules to the storage.
func (a *AdapterMock) SavePolicy(model model.Model) error {
return nil
}
func (a *AdapterMock) loadPolicyFile(model model.Model, handler func(string, model.Model) error) error {
f, err := os.Open(a.filePath)
if err != nil {
return err
}
defer f.Close()
buf := bufio.NewReader(f)
for {
line, err := buf.ReadString('\n')
line = strings.TrimSpace(line)
if err2 := handler(line, model); err2 != nil {
return err2
}
if err != nil {
if err == io.EOF {
return nil
}
return err
}
}
}
// SetMockErr sets string to be returned by of the mock during testing.
func (a *AdapterMock) SetMockErr(errorToSet string) {
a.errorValue = errorToSet
}
// GetMockErr returns a mock error or nil.
func (a *AdapterMock) GetMockErr() error {
var returnError error
if a.errorValue != "" {
returnError = errors.New(a.errorValue)
}
return returnError
}
// AddPolicy adds a policy rule to the storage.
func (a *AdapterMock) AddPolicy(sec string, ptype string, rule []string) error {
return a.GetMockErr()
}
// AddPolicies removes policy rules from the storage.
func (a *AdapterMock) AddPolicies(sec string, ptype string, rules [][]string) error {
return a.GetMockErr()
}
// RemovePolicy removes a policy rule from the storage.
func (a *AdapterMock) RemovePolicy(sec string, ptype string, rule []string) error {
return a.GetMockErr()
}
// RemovePolicies removes policy rules from the storage.
func (a *AdapterMock) RemovePolicies(sec string, ptype string, rules [][]string) error {
return a.GetMockErr()
}
// UpdatePolicy removes a policy rule from the storage.
func (a *AdapterMock) UpdatePolicy(sec string, ptype string, oldRule, newPolicy []string) error {
return a.GetMockErr()
}
func (a *AdapterMock) UpdatePolicies(sec string, ptype string, oldRules, newRules [][]string) error {
return a.GetMockErr()
}
// RemoveFilteredPolicy removes policy rules that match the filter from the storage.
func (a *AdapterMock) RemoveFilteredPolicy(sec string, ptype string, fieldIndex int, fieldValues ...string) error {
return a.GetMockErr()
}

27
vendor/github.com/casbin/casbin/v2/persist/update_adapter.go generated vendored
View File

@@ -1,27 +0,0 @@
// Copyright 2020 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package persist
// UpdatableAdapter is the interface for Casbin adapters with add update policy function.
type UpdatableAdapter interface {
Adapter
// UpdatePolicy updates a policy rule from storage.
// This is part of the Auto-Save feature.
UpdatePolicy(sec string, ptype string, oldRule, newRule []string) error
// UpdatePolicies updates some policy rules to storage, like db, redis.
UpdatePolicies(sec string, ptype string, oldRules, newRules [][]string) error
// UpdateFilteredPolicies deletes old rules and adds new rules.
UpdateFilteredPolicies(sec string, ptype string, newRules [][]string, fieldIndex int, fieldValues ...string) ([][]string, error)
}

30
vendor/github.com/casbin/casbin/v2/persist/update_adapter_context.go generated vendored
View File

@@ -1,30 +0,0 @@
// Copyright 2024 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package persist
import "context"
// ContextUpdatableAdapter is the context-aware interface for Casbin adapters with add update policy function.
type ContextUpdatableAdapter interface {
ContextAdapter
// UpdatePolicyCtx updates a policy rule from storage.
// This is part of the Auto-Save feature.
UpdatePolicyCtx(ctx context.Context, sec string, ptype string, oldRule, newRule []string) error
// UpdatePoliciesCtx updates some policy rules to storage, like db, redis.
UpdatePoliciesCtx(ctx context.Context, sec string, ptype string, oldRules, newRules [][]string) error
// UpdateFilteredPoliciesCtx deletes old rules and adds new rules.
UpdateFilteredPoliciesCtx(ctx context.Context, sec string, ptype string, newRules [][]string, fieldIndex int, fieldValues ...string) ([][]string, error)
}

29
vendor/github.com/casbin/casbin/v2/persist/watcher.go generated vendored
View File

@@ -1,29 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package persist
// Watcher is the interface for Casbin watchers.
type Watcher interface {
// SetUpdateCallback sets the callback function that the watcher will call
// when the policy in DB has been changed by other instances.
// A classic callback is Enforcer.LoadPolicy().
SetUpdateCallback(func(string)) error
// Update calls the update callback of other instances to synchronize their policy.
// It is usually called after changing the policy in DB, like Enforcer.SavePolicy(),
// Enforcer.AddPolicy(), Enforcer.RemovePolicy(), etc.
Update() error
// Close stops and releases the watcher, the callback function will not be called any more.
Close()
}

40
vendor/github.com/casbin/casbin/v2/persist/watcher_ex.go generated vendored
View File

@@ -1,40 +0,0 @@
// Copyright 2020 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package persist
import "github.com/casbin/casbin/v2/model"
// WatcherEx is the strengthened Casbin watchers.
type WatcherEx interface {
Watcher
// UpdateForAddPolicy calls the update callback of other instances to synchronize their policy.
// It is called after Enforcer.AddPolicy()
UpdateForAddPolicy(sec, ptype string, params ...string) error
// UpdateForRemovePolicy calls the update callback of other instances to synchronize their policy.
// It is called after Enforcer.RemovePolicy()
UpdateForRemovePolicy(sec, ptype string, params ...string) error
// UpdateForRemoveFilteredPolicy calls the update callback of other instances to synchronize their policy.
// It is called after Enforcer.RemoveFilteredNamedGroupingPolicy()
UpdateForRemoveFilteredPolicy(sec, ptype string, fieldIndex int, fieldValues ...string) error
// UpdateForSavePolicy calls the update callback of other instances to synchronize their policy.
// It is called after Enforcer.RemoveFilteredNamedGroupingPolicy()
UpdateForSavePolicy(model model.Model) error
// UpdateForAddPolicies calls the update callback of other instances to synchronize their policy.
// It is called after Enforcer.AddPolicies()
UpdateForAddPolicies(sec string, ptype string, rules ...[]string) error
// UpdateForRemovePolicies calls the update callback of other instances to synchronize their policy.
// It is called after Enforcer.RemovePolicies()
UpdateForRemovePolicies(sec string, ptype string, rules ...[]string) error
}

26
vendor/github.com/casbin/casbin/v2/persist/watcher_update.go generated vendored
View File

@@ -1,26 +0,0 @@
// Copyright 2020 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package persist
// UpdatableWatcher is strengthened for Casbin watchers.
type UpdatableWatcher interface {
Watcher
// UpdateForUpdatePolicy calls the update callback of other instances to synchronize their policy.
// It is called after Enforcer.UpdatePolicy()
UpdateForUpdatePolicy(sec string, ptype string, oldRule, newRule []string) error
// UpdateForUpdatePolicies calls the update callback of other instances to synchronize their policy.
// It is called after Enforcer.UpdatePolicies()
UpdateForUpdatePolicies(sec string, ptype string, oldRules, newRules [][]string) error
}

46
vendor/github.com/casbin/casbin/v2/rbac/context_role_manager.go generated vendored
View File

@@ -1,46 +0,0 @@
// Copyright 2023 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package rbac
import "context"
// ContextRoleManager provides a context-aware interface to define the operations for managing roles.
// Prefer this over RoleManager interface for context propagation, which is useful for things like handling
// request timeouts.
type ContextRoleManager interface {
RoleManager
// ClearCtx clears all stored data and resets the role manager to the initial state with context.
ClearCtx(ctx context.Context) error
// AddLinkCtx adds the inheritance link between two roles. role: name1 and role: name2 with context.
// domain is a prefix to the roles (can be used for other purposes).
AddLinkCtx(ctx context.Context, name1 string, name2 string, domain ...string) error
// DeleteLinkCtx deletes the inheritance link between two roles. role: name1 and role: name2 with context.
// domain is a prefix to the roles (can be used for other purposes).
DeleteLinkCtx(ctx context.Context, name1 string, name2 string, domain ...string) error
// HasLinkCtx determines whether a link exists between two roles. role: name1 inherits role: name2 with context.
// domain is a prefix to the roles (can be used for other purposes).
HasLinkCtx(ctx context.Context, name1 string, name2 string, domain ...string) (bool, error)
// GetRolesCtx gets the roles that a user inherits with context.
// domain is a prefix to the roles (can be used for other purposes).
GetRolesCtx(ctx context.Context, name string, domain ...string) ([]string, error)
// GetUsersCtx gets the users that inherits a role with context.
// domain is a prefix to the users (can be used for other purposes).
GetUsersCtx(ctx context.Context, name string, domain ...string) ([]string, error)
// GetDomainsCtx gets domains that a user has with context.
GetDomainsCtx(ctx context.Context, name string) ([]string, error)
// GetAllDomainsCtx gets all domains with context.
GetAllDomainsCtx(ctx context.Context) ([]string, error)
}

1014
vendor/github.com/casbin/casbin/v2/rbac/default-role-manager/role_manager.go generated vendored
View File

File diff suppressed because it is too large Load Diff

76
vendor/github.com/casbin/casbin/v2/rbac/role_manager.go generated vendored
View File

@@ -1,76 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package rbac
import "github.com/casbin/casbin/v2/log"
type MatchingFunc func(arg1 string, arg2 string) bool
type LinkConditionFunc = func(args ...string) (bool, error)
// RoleManager provides interface to define the operations for managing roles.
type RoleManager interface {
// Clear clears all stored data and resets the role manager to the initial state.
Clear() error
// AddLink adds the inheritance link between two roles. role: name1 and role: name2.
// domain is a prefix to the roles (can be used for other purposes).
AddLink(name1 string, name2 string, domain ...string) error
// Deprecated: BuildRelationship is no longer required
BuildRelationship(name1 string, name2 string, domain ...string) error
// DeleteLink deletes the inheritance link between two roles. role: name1 and role: name2.
// domain is a prefix to the roles (can be used for other purposes).
DeleteLink(name1 string, name2 string, domain ...string) error
// HasLink determines whether a link exists between two roles. role: name1 inherits role: name2.
// domain is a prefix to the roles (can be used for other purposes).
HasLink(name1 string, name2 string, domain ...string) (bool, error)
// GetRoles gets the roles that a user inherits.
// domain is a prefix to the roles (can be used for other purposes).
GetRoles(name string, domain ...string) ([]string, error)
// GetUsers gets the users that inherits a role.
// domain is a prefix to the users (can be used for other purposes).
GetUsers(name string, domain ...string) ([]string, error)
// GetDomains gets domains that a user has
GetDomains(name string) ([]string, error)
// GetAllDomains gets all domains
GetAllDomains() ([]string, error)
// PrintRoles prints all the roles to log.
PrintRoles() error
// SetLogger sets role manager's logger.
SetLogger(logger log.Logger)
// Match matches the domain with the pattern
Match(str string, pattern string) bool
// AddMatchingFunc adds the matching function
AddMatchingFunc(name string, fn MatchingFunc)
// AddDomainMatchingFunc adds the domain matching function
AddDomainMatchingFunc(name string, fn MatchingFunc)
}
// ConditionalRoleManager provides interface to define the operations for managing roles.
// Link with conditions is supported.
type ConditionalRoleManager interface {
RoleManager
// AddLinkConditionFunc Add condition function fn for Link userName->roleName,
// when fn returns true, Link is valid, otherwise invalid
AddLinkConditionFunc(userName, roleName string, fn LinkConditionFunc)
// SetLinkConditionFuncParams Sets the parameters of the condition function fn for Link userName->roleName
SetLinkConditionFuncParams(userName, roleName string, params ...string)
// AddDomainLinkConditionFunc Add condition function fn for Link userName-> {roleName, domain},
// when fn returns true, Link is valid, otherwise invalid
AddDomainLinkConditionFunc(user string, role string, domain string, fn LinkConditionFunc)
// SetDomainLinkConditionFuncParams Sets the parameters of the condition function fn
// for Link userName->{roleName, domain}
SetDomainLinkConditionFuncParams(user string, role string, domain string, params ...string)
}

644
vendor/github.com/casbin/casbin/v2/rbac_api.go generated vendored
View File

@@ -1,644 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package casbin
import (
"fmt"
"strings"
"github.com/casbin/casbin/v2/constant"
"github.com/casbin/casbin/v2/errors"
"github.com/casbin/casbin/v2/util"
)
// GetRolesForUser gets the roles that a user has.
func (e *Enforcer) GetRolesForUser(name string, domain ...string) ([]string, error) {
rm := e.GetRoleManager()
if rm == nil {
return nil, fmt.Errorf("role manager is not initialized")
}
res, err := rm.GetRoles(name, domain...)
return res, err
}
// GetUsersForRole gets the users that has a role.
func (e *Enforcer) GetUsersForRole(name string, domain ...string) ([]string, error) {
rm := e.GetRoleManager()
if rm == nil {
return nil, fmt.Errorf("role manager is not initialized")
}
res, err := rm.GetUsers(name, domain...)
return res, err
}
// HasRoleForUser determines whether a user has a role.
func (e *Enforcer) HasRoleForUser(name string, role string, domain ...string) (bool, error) {
roles, err := e.GetRolesForUser(name, domain...)
if err != nil {
return false, err
}
hasRole := false
for _, r := range roles {
if r == role {
hasRole = true
break
}
}
return hasRole, nil
}
// AddRoleForUser adds a role for a user.
// Returns false if the user already has the role (aka not affected).
func (e *Enforcer) AddRoleForUser(user string, role string, domain ...string) (bool, error) {
args := []string{user, role}
args = append(args, domain...)
return e.AddGroupingPolicy(args)
}
// AddRolesForUser adds roles for a user.
// Returns false if the user already has the roles (aka not affected).
func (e *Enforcer) AddRolesForUser(user string, roles []string, domain ...string) (bool, error) {
var rules [][]string
for _, role := range roles {
rule := []string{user, role}
rule = append(rule, domain...)
rules = append(rules, rule)
}
return e.AddGroupingPolicies(rules)
}
// DeleteRoleForUser deletes a role for a user.
// Returns false if the user does not have the role (aka not affected).
func (e *Enforcer) DeleteRoleForUser(user string, role string, domain ...string) (bool, error) {
args := []string{user, role}
args = append(args, domain...)
return e.RemoveGroupingPolicy(args)
}
// DeleteRolesForUser deletes all roles for a user.
// Returns false if the user does not have any roles (aka not affected).
func (e *Enforcer) DeleteRolesForUser(user string, domain ...string) (bool, error) {
var args []string
if len(domain) == 0 {
args = []string{user}
} else if len(domain) > 1 {
return false, errors.ErrDomainParameter
} else {
args = []string{user, "", domain[0]}
}
return e.RemoveFilteredGroupingPolicy(0, args...)
}
// DeleteUser deletes a user.
// Returns false if the user does not exist (aka not affected).
func (e *Enforcer) DeleteUser(user string) (bool, error) {
var err error
res1, err := e.RemoveFilteredGroupingPolicy(0, user)
if err != nil {
return res1, err
}
subIndex, err := e.GetFieldIndex("p", constant.SubjectIndex)
if err != nil {
return false, err
}
res2, err := e.RemoveFilteredPolicy(subIndex, user)
return res1 || res2, err
}
// DeleteRole deletes a role.
// Returns false if the role does not exist (aka not affected).
func (e *Enforcer) DeleteRole(role string) (bool, error) {
var err error
res1, err := e.RemoveFilteredGroupingPolicy(0, role)
if err != nil {
return res1, err
}
res2, err := e.RemoveFilteredGroupingPolicy(1, role)
if err != nil {
return res1, err
}
subIndex, err := e.GetFieldIndex("p", constant.SubjectIndex)
if err != nil {
return false, err
}
res3, err := e.RemoveFilteredPolicy(subIndex, role)
return res1 || res2 || res3, err
}
// DeletePermission deletes a permission.
// Returns false if the permission does not exist (aka not affected).
func (e *Enforcer) DeletePermission(permission ...string) (bool, error) {
return e.RemoveFilteredPolicy(1, permission...)
}
// AddPermissionForUser adds a permission for a user or role.
// Returns false if the user or role already has the permission (aka not affected).
func (e *Enforcer) AddPermissionForUser(user string, permission ...string) (bool, error) {
return e.AddPolicy(util.JoinSlice(user, permission...))
}
// AddPermissionsForUser adds multiple permissions for a user or role.
// Returns false if the user or role already has one of the permissions (aka not affected).
func (e *Enforcer) AddPermissionsForUser(user string, permissions ...[]string) (bool, error) {
var rules [][]string
for _, permission := range permissions {
rules = append(rules, util.JoinSlice(user, permission...))
}
return e.AddPolicies(rules)
}
// DeletePermissionForUser deletes a permission for a user or role.
// Returns false if the user or role does not have the permission (aka not affected).
func (e *Enforcer) DeletePermissionForUser(user string, permission ...string) (bool, error) {
return e.RemovePolicy(util.JoinSlice(user, permission...))
}
// DeletePermissionsForUser deletes permissions for a user or role.
// Returns false if the user or role does not have any permissions (aka not affected).
func (e *Enforcer) DeletePermissionsForUser(user string) (bool, error) {
subIndex, err := e.GetFieldIndex("p", constant.SubjectIndex)
if err != nil {
return false, err
}
return e.RemoveFilteredPolicy(subIndex, user)
}
// GetPermissionsForUser gets permissions for a user or role.
func (e *Enforcer) GetPermissionsForUser(user string, domain ...string) ([][]string, error) {
return e.GetNamedPermissionsForUser("p", user, domain...)
}
// GetNamedPermissionsForUser gets permissions for a user or role by named policy.
func (e *Enforcer) GetNamedPermissionsForUser(ptype string, user string, domain ...string) ([][]string, error) {
permission := make([][]string, 0)
for pType, assertion := range e.model["p"] {
if pType != ptype {
continue
}
args := make([]string, len(assertion.Tokens))
subIndex, err := e.GetFieldIndex("p", constant.SubjectIndex)
if err != nil {
subIndex = 0
}
args[subIndex] = user
if len(domain) > 0 {
var index int
index, err = e.GetFieldIndex(ptype, constant.DomainIndex)
if err != nil {
return permission, err
}
args[index] = domain[0]
}
perm, err := e.GetFilteredNamedPolicy(ptype, 0, args...)
if err != nil {
return permission, err
}
permission = append(permission, perm...)
}
return permission, nil
}
// HasPermissionForUser determines whether a user has a permission.
func (e *Enforcer) HasPermissionForUser(user string, permission ...string) (bool, error) {
return e.HasPolicy(util.JoinSlice(user, permission...))
}
// GetImplicitRolesForUser gets implicit roles that a user has.
// Compared to GetRolesForUser(), this function retrieves indirect roles besides direct roles.
// For example:
// g, alice, role:admin
// g, role:admin, role:user
//
// GetRolesForUser("alice") can only get: ["role:admin"].
// But GetImplicitRolesForUser("alice") will get: ["role:admin", "role:user"].
func (e *Enforcer) GetImplicitRolesForUser(name string, domain ...string) ([]string, error) {
var res []string
for v := range e.rmMap {
roles, err := e.GetNamedImplicitRolesForUser(v, name, domain...)
if err != nil {
return nil, err
}
res = append(res, roles...)
}
return res, nil
}
// GetNamedImplicitRolesForUser gets implicit roles that a user has by named role definition.
// Compared to GetImplicitRolesForUser(), this function retrieves indirect roles besides direct roles.
// For example:
// g, alice, role:admin
// g, role:admin, role:user
// g2, alice, role:admin2
//
// GetImplicitRolesForUser("alice") can only get: ["role:admin", "role:user"].
// But GetNamedImplicitRolesForUser("g2", "alice") will get: ["role:admin2"].
func (e *Enforcer) GetNamedImplicitRolesForUser(ptype string, name string, domain ...string) ([]string, error) {
var res []string
rm := e.GetNamedRoleManager(ptype)
if rm == nil {
return nil, fmt.Errorf("role manager %s is not initialized", ptype)
}
roleSet := make(map[string]bool)
roleSet[name] = true
q := make([]string, 0)
q = append(q, name)
for len(q) > 0 {
name := q[0]
q = q[1:]
roles, err := rm.GetRoles(name, domain...)
if err != nil {
return nil, err
}
for _, r := range roles {
if _, ok := roleSet[r]; !ok {
res = append(res, r)
q = append(q, r)
roleSet[r] = true
}
}
}
return res, nil
}
// GetImplicitUsersForRole gets implicit users for a role.
func (e *Enforcer) GetImplicitUsersForRole(name string, domain ...string) ([]string, error) {
res := []string{}
for _, rm := range e.rmMap {
roleSet := make(map[string]bool)
roleSet[name] = true
q := make([]string, 0)
q = append(q, name)
for len(q) > 0 {
name := q[0]
q = q[1:]
roles, err := rm.GetUsers(name, domain...)
if err != nil && err.Error() != "error: name does not exist" {
return nil, err
}
for _, r := range roles {
if _, ok := roleSet[r]; !ok {
res = append(res, r)
q = append(q, r)
roleSet[r] = true
}
}
}
}
return res, nil
}
// GetImplicitPermissionsForUser gets implicit permissions for a user or role.
// Compared to GetPermissionsForUser(), this function retrieves permissions for inherited roles.
// For example:
// p, admin, data1, read
// p, alice, data2, read
// g, alice, admin
//
// GetPermissionsForUser("alice") can only get: [["alice", "data2", "read"]].
// But GetImplicitPermissionsForUser("alice") will get: [["admin", "data1", "read"], ["alice", "data2", "read"]].
func (e *Enforcer) GetImplicitPermissionsForUser(user string, domain ...string) ([][]string, error) {
return e.GetNamedImplicitPermissionsForUser("p", "g", user, domain...)
}
// GetNamedImplicitPermissionsForUser gets implicit permissions for a user or role by named policy.
// Compared to GetNamedPermissionsForUser(), this function retrieves permissions for inherited roles.
// For example:
// p, admin, data1, read
// p2, admin, create
// g, alice, admin
//
// GetImplicitPermissionsForUser("alice") can only get: [["admin", "data1", "read"]], whose policy is default policy "p"
// But you can specify the named policy "p2" to get: [["admin", "create"]] by GetNamedImplicitPermissionsForUser("p2","alice").
func (e *Enforcer) GetNamedImplicitPermissionsForUser(ptype string, gtype string, user string, domain ...string) ([][]string, error) {
permission := make([][]string, 0)
rm := e.GetNamedRoleManager(gtype)
if rm == nil {
return nil, fmt.Errorf("role manager %s is not initialized", gtype)
}
roles, err := e.GetNamedImplicitRolesForUser(gtype, user, domain...)
if err != nil {
return nil, err
}
policyRoles := make(map[string]struct{}, len(roles)+1)
policyRoles[user] = struct{}{}
for _, r := range roles {
policyRoles[r] = struct{}{}
}
domainIndex, err := e.GetFieldIndex(ptype, constant.DomainIndex)
for _, rule := range e.model["p"][ptype].Policy {
if len(domain) == 0 {
if _, ok := policyRoles[rule[0]]; ok {
permission = append(permission, deepCopyPolicy(rule))
}
continue
}
if len(domain) > 1 {
return nil, errors.ErrDomainParameter
}
if err != nil {
return nil, err
}
d := domain[0]
matched := rm.Match(d, rule[domainIndex])
if !matched {
continue
}
if _, ok := policyRoles[rule[0]]; ok {
newRule := deepCopyPolicy(rule)
newRule[domainIndex] = d
permission = append(permission, newRule)
}
}
return permission, nil
}
// GetImplicitUsersForPermission gets implicit users for a permission.
// For example:
// p, admin, data1, read
// p, bob, data1, read
// g, alice, admin
//
// GetImplicitUsersForPermission("data1", "read") will get: ["alice", "bob"].
// Note: only users will be returned, roles (2nd arg in "g") will be excluded.
func (e *Enforcer) GetImplicitUsersForPermission(permission ...string) ([]string, error) {
pSubjects, err := e.GetAllSubjects()
if err != nil {
return nil, err
}
gInherit, err := e.model.GetValuesForFieldInPolicyAllTypes("g", 1)
if err != nil {
return nil, err
}
gSubjects, err := e.model.GetValuesForFieldInPolicyAllTypes("g", 0)
if err != nil {
return nil, err
}
subjects := append(pSubjects, gSubjects...)
util.ArrayRemoveDuplicates(&subjects)
subjects = util.SetSubtract(subjects, gInherit)
res := []string{}
for _, user := range subjects {
req := util.JoinSliceAny(user, permission...)
allowed, err := e.Enforce(req...)
if err != nil {
return nil, err
}
if allowed {
res = append(res, user)
}
}
return res, nil
}
// GetDomainsForUser gets all domains.
func (e *Enforcer) GetDomainsForUser(user string) ([]string, error) {
var domains []string
for _, rm := range e.rmMap {
domain, err := rm.GetDomains(user)
if err != nil {
return nil, err
}
domains = append(domains, domain...)
}
return domains, nil
}
// GetImplicitResourcesForUser returns all policies that user obtaining in domain.
func (e *Enforcer) GetImplicitResourcesForUser(user string, domain ...string) ([][]string, error) {
permissions, err := e.GetImplicitPermissionsForUser(user, domain...)
if err != nil {
return nil, err
}
res := make([][]string, 0)
for _, permission := range permissions {
if permission[0] == user {
res = append(res, permission)
continue
}
resLocal := [][]string{{user}}
tokensLength := len(permission)
t := make([][]string, 1, tokensLength)
for _, token := range permission[1:] {
tokens, err := e.GetImplicitUsersForRole(token, domain...)
if err != nil {
return nil, err
}
tokens = append(tokens, token)
t = append(t, tokens)
}
for i := 1; i < tokensLength; i++ {
n := make([][]string, 0)
for _, tokens := range t[i] {
for _, policy := range resLocal {
t := append([]string(nil), policy...)
t = append(t, tokens)
n = append(n, t)
}
}
resLocal = n
}
res = append(res, resLocal...)
}
return res, nil
}
// deepCopyPolicy returns a deepcopy version of the policy to prevent changing policies through returned slice.
func deepCopyPolicy(src []string) []string {
newRule := make([]string, len(src))
copy(newRule, src)
return newRule
}
// GetAllowedObjectConditions returns a string array of object conditions that the user can access.
// For example: conditions, err := e.GetAllowedObjectConditions("alice", "read", "r.obj.")
// Note:
//
// 0. prefix: You can customize the prefix of the object conditions, and "r.obj." is commonly used as a prefix.
// After removing the prefix, the remaining part is the condition of the object.
// If there is an obj policy that does not meet the prefix requirement, an errors.ERR_OBJ_CONDITION will be returned.
//
// 1. If the 'objectConditions' array is empty, return errors.ERR_EMPTY_CONDITION
// This error is returned because some data adapters' ORM return full table data by default
// when they receive an empty condition, which tends to behave contrary to expectations.(e.g. GORM)
// If you are using an adapter that does not behave like this, you can choose to ignore this error.
func (e *Enforcer) GetAllowedObjectConditions(user string, action string, prefix string) ([]string, error) {
permissions, err := e.GetImplicitPermissionsForUser(user)
if err != nil {
return nil, err
}
var objectConditions []string
for _, policy := range permissions {
// policy {sub, obj, act}
if policy[2] == action {
if !strings.HasPrefix(policy[1], prefix) {
return nil, errors.ErrObjCondition
}
objectConditions = append(objectConditions, strings.TrimPrefix(policy[1], prefix))
}
}
if len(objectConditions) == 0 {
return nil, errors.ErrEmptyCondition
}
return objectConditions, nil
}
// removeDuplicatePermissions Convert permissions to string as a hash to deduplicate.
func removeDuplicatePermissions(permissions [][]string) [][]string {
permissionsSet := make(map[string]bool)
res := make([][]string, 0)
for _, permission := range permissions {
permissionStr := util.ArrayToString(permission)
if permissionsSet[permissionStr] {
continue
}
permissionsSet[permissionStr] = true
res = append(res, permission)
}
return res
}
// GetImplicitUsersForResource return implicit user based on resource.
// for example:
// p, alice, data1, read
// p, bob, data2, write
// p, data2_admin, data2, read
// p, data2_admin, data2, write
// g, alice, data2_admin
// GetImplicitUsersForResource("data2") will return [[bob data2 write] [alice data2 read] [alice data2 write]]
// GetImplicitUsersForResource("data1") will return [[alice data1 read]]
// Note: only users will be returned, roles (2nd arg in "g") will be excluded.
func (e *Enforcer) GetImplicitUsersForResource(resource string) ([][]string, error) {
permissions := make([][]string, 0)
subjectIndex, _ := e.GetFieldIndex("p", "sub")
objectIndex, _ := e.GetFieldIndex("p", "obj")
rm := e.GetRoleManager()
if rm == nil {
return nil, fmt.Errorf("role manager is not initialized")
}
isRole := make(map[string]bool)
roles, err := e.GetAllRoles()
if err != nil {
return nil, err
}
for _, role := range roles {
isRole[role] = true
}
for _, rule := range e.model["p"]["p"].Policy {
obj := rule[objectIndex]
if obj != resource {
continue
}
sub := rule[subjectIndex]
if !isRole[sub] {
permissions = append(permissions, rule)
} else {
users, err := rm.GetUsers(sub)
if err != nil {
return nil, err
}
for _, user := range users {
implicitUserRule := deepCopyPolicy(rule)
implicitUserRule[subjectIndex] = user
permissions = append(permissions, implicitUserRule)
}
}
}
res := removeDuplicatePermissions(permissions)
return res, nil
}
// GetImplicitUsersForResourceByDomain return implicit user based on resource and domain.
// Compared to GetImplicitUsersForResource, domain is supported.
func (e *Enforcer) GetImplicitUsersForResourceByDomain(resource string, domain string) ([][]string, error) {
permissions := make([][]string, 0)
subjectIndex, _ := e.GetFieldIndex("p", "sub")
objectIndex, _ := e.GetFieldIndex("p", "obj")
domIndex, _ := e.GetFieldIndex("p", "dom")
rm := e.GetRoleManager()
if rm == nil {
return nil, fmt.Errorf("role manager is not initialized")
}
isRole := make(map[string]bool)
if roles, err := e.GetAllRolesByDomain(domain); err != nil {
return nil, err
} else {
for _, role := range roles {
isRole[role] = true
}
}
for _, rule := range e.model["p"]["p"].Policy {
obj := rule[objectIndex]
if obj != resource {
continue
}
sub := rule[subjectIndex]
if !isRole[sub] {
permissions = append(permissions, rule)
} else {
if domain != rule[domIndex] {
continue
}
users, err := rm.GetUsers(sub, domain)
if err != nil {
return nil, err
}
for _, user := range users {
implicitUserRule := deepCopyPolicy(rule)
implicitUserRule[subjectIndex] = user
permissions = append(permissions, implicitUserRule)
}
}
}
res := removeDuplicatePermissions(permissions)
return res, nil
}

203
vendor/github.com/casbin/casbin/v2/rbac_api_synced.go generated vendored
View File

@@ -1,203 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package casbin
// GetRolesForUser gets the roles that a user has.
func (e *SyncedEnforcer) GetRolesForUser(name string, domain ...string) ([]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetRolesForUser(name, domain...)
}
// GetUsersForRole gets the users that has a role.
func (e *SyncedEnforcer) GetUsersForRole(name string, domain ...string) ([]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetUsersForRole(name, domain...)
}
// HasRoleForUser determines whether a user has a role.
func (e *SyncedEnforcer) HasRoleForUser(name string, role string, domain ...string) (bool, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.HasRoleForUser(name, role, domain...)
}
// AddRoleForUser adds a role for a user.
// Returns false if the user already has the role (aka not affected).
func (e *SyncedEnforcer) AddRoleForUser(user string, role string, domain ...string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.AddRoleForUser(user, role, domain...)
}
// AddRolesForUser adds roles for a user.
// Returns false if the user already has the roles (aka not affected).
func (e *SyncedEnforcer) AddRolesForUser(user string, roles []string, domain ...string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.AddRolesForUser(user, roles, domain...)
}
// DeleteRoleForUser deletes a role for a user.
// Returns false if the user does not have the role (aka not affected).
func (e *SyncedEnforcer) DeleteRoleForUser(user string, role string, domain ...string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.DeleteRoleForUser(user, role, domain...)
}
// DeleteRolesForUser deletes all roles for a user.
// Returns false if the user does not have any roles (aka not affected).
func (e *SyncedEnforcer) DeleteRolesForUser(user string, domain ...string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.DeleteRolesForUser(user, domain...)
}
// DeleteUser deletes a user.
// Returns false if the user does not exist (aka not affected).
func (e *SyncedEnforcer) DeleteUser(user string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.DeleteUser(user)
}
// DeleteRole deletes a role.
// Returns false if the role does not exist (aka not affected).
func (e *SyncedEnforcer) DeleteRole(role string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.DeleteRole(role)
}
// DeletePermission deletes a permission.
// Returns false if the permission does not exist (aka not affected).
func (e *SyncedEnforcer) DeletePermission(permission ...string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.DeletePermission(permission...)
}
// AddPermissionForUser adds a permission for a user or role.
// Returns false if the user or role already has the permission (aka not affected).
func (e *SyncedEnforcer) AddPermissionForUser(user string, permission ...string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.AddPermissionForUser(user, permission...)
}
// AddPermissionsForUser adds permissions for a user or role.
// Returns false if the user or role already has the permissions (aka not affected).
func (e *SyncedEnforcer) AddPermissionsForUser(user string, permissions ...[]string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.AddPermissionsForUser(user, permissions...)
}
// DeletePermissionForUser deletes a permission for a user or role.
// Returns false if the user or role does not have the permission (aka not affected).
func (e *SyncedEnforcer) DeletePermissionForUser(user string, permission ...string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.DeletePermissionForUser(user, permission...)
}
// DeletePermissionsForUser deletes permissions for a user or role.
// Returns false if the user or role does not have any permissions (aka not affected).
func (e *SyncedEnforcer) DeletePermissionsForUser(user string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.DeletePermissionsForUser(user)
}
// GetPermissionsForUser gets permissions for a user or role.
func (e *SyncedEnforcer) GetPermissionsForUser(user string, domain ...string) ([][]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetPermissionsForUser(user, domain...)
}
// GetNamedPermissionsForUser gets permissions for a user or role by named policy.
func (e *SyncedEnforcer) GetNamedPermissionsForUser(ptype string, user string, domain ...string) ([][]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetNamedPermissionsForUser(ptype, user, domain...)
}
// HasPermissionForUser determines whether a user has a permission.
func (e *SyncedEnforcer) HasPermissionForUser(user string, permission ...string) (bool, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.HasPermissionForUser(user, permission...)
}
// GetImplicitRolesForUser gets implicit roles that a user has.
// Compared to GetRolesForUser(), this function retrieves indirect roles besides direct roles.
// For example:
// g, alice, role:admin
// g, role:admin, role:user
//
// GetRolesForUser("alice") can only get: ["role:admin"].
// But GetImplicitRolesForUser("alice") will get: ["role:admin", "role:user"].
func (e *SyncedEnforcer) GetImplicitRolesForUser(name string, domain ...string) ([]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetImplicitRolesForUser(name, domain...)
}
// GetImplicitPermissionsForUser gets implicit permissions for a user or role.
// Compared to GetPermissionsForUser(), this function retrieves permissions for inherited roles.
// For example:
// p, admin, data1, read
// p, alice, data2, read
// g, alice, admin
//
// GetPermissionsForUser("alice") can only get: [["alice", "data2", "read"]].
// But GetImplicitPermissionsForUser("alice") will get: [["admin", "data1", "read"], ["alice", "data2", "read"]].
func (e *SyncedEnforcer) GetImplicitPermissionsForUser(user string, domain ...string) ([][]string, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.GetImplicitPermissionsForUser(user, domain...)
}
// GetNamedImplicitPermissionsForUser gets implicit permissions for a user or role by named policy.
// Compared to GetNamedPermissionsForUser(), this function retrieves permissions for inherited roles.
// For example:
// p, admin, data1, read
// p2, admin, create
// g, alice, admin
//
// GetImplicitPermissionsForUser("alice") can only get: [["admin", "data1", "read"]], whose policy is default policy "p"
// But you can specify the named policy "p2" to get: [["admin", "create"]] by GetNamedImplicitPermissionsForUser("p2","alice").
func (e *SyncedEnforcer) GetNamedImplicitPermissionsForUser(ptype string, gtype string, user string, domain ...string) ([][]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetNamedImplicitPermissionsForUser(ptype, gtype, user, domain...)
}
// GetImplicitUsersForPermission gets implicit users for a permission.
// For example:
// p, admin, data1, read
// p, bob, data1, read
// g, alice, admin
//
// GetImplicitUsersForPermission("data1", "read") will get: ["alice", "bob"].
// Note: only users will be returned, roles (2nd arg in "g") will be excluded.
func (e *SyncedEnforcer) GetImplicitUsersForPermission(permission ...string) ([]string, error) {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetImplicitUsersForPermission(permission...)
}

192
vendor/github.com/casbin/casbin/v2/rbac_api_with_domains.go generated vendored
View File

@@ -1,192 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package casbin
import (
"fmt"
"github.com/casbin/casbin/v2/constant"
)
// GetUsersForRoleInDomain gets the users that has a role inside a domain. Add by Gordon.
func (e *Enforcer) GetUsersForRoleInDomain(name string, domain string) []string {
if e.GetRoleManager() == nil {
return nil
}
res, _ := e.GetRoleManager().GetUsers(name, domain)
return res
}
// GetRolesForUserInDomain gets the roles that a user has inside a domain.
func (e *Enforcer) GetRolesForUserInDomain(name string, domain string) []string {
if e.GetRoleManager() == nil {
return nil
}
res, _ := e.GetRoleManager().GetRoles(name, domain)
return res
}
// GetPermissionsForUserInDomain gets permissions for a user or role inside a domain.
func (e *Enforcer) GetPermissionsForUserInDomain(user string, domain string) [][]string {
res, _ := e.GetImplicitPermissionsForUser(user, domain)
return res
}
// AddRoleForUserInDomain adds a role for a user inside a domain.
// Returns false if the user already has the role (aka not affected).
func (e *Enforcer) AddRoleForUserInDomain(user string, role string, domain string) (bool, error) {
return e.AddGroupingPolicy(user, role, domain)
}
// DeleteRoleForUserInDomain deletes a role for a user inside a domain.
// Returns false if the user does not have the role (aka not affected).
func (e *Enforcer) DeleteRoleForUserInDomain(user string, role string, domain string) (bool, error) {
return e.RemoveGroupingPolicy(user, role, domain)
}
// DeleteRolesForUserInDomain deletes all roles for a user inside a domain.
// Returns false if the user does not have any roles (aka not affected).
func (e *Enforcer) DeleteRolesForUserInDomain(user string, domain string) (bool, error) {
if e.GetRoleManager() == nil {
return false, fmt.Errorf("role manager is not initialized")
}
roles, err := e.GetRoleManager().GetRoles(user, domain)
if err != nil {
return false, err
}
var rules [][]string
for _, role := range roles {
rules = append(rules, []string{user, role, domain})
}
return e.RemoveGroupingPolicies(rules)
}
// GetAllUsersByDomain would get all users associated with the domain.
func (e *Enforcer) GetAllUsersByDomain(domain string) ([]string, error) {
m := make(map[string]struct{})
g, err := e.model.GetAssertion("g", "g")
if err != nil {
return []string{}, err
}
p := e.model["p"]["p"]
users := make([]string, 0)
index, err := e.GetFieldIndex("p", constant.DomainIndex)
if err != nil {
return []string{}, err
}
getUser := func(index int, policies [][]string, domain string, m map[string]struct{}) []string {
if len(policies) == 0 || len(policies[0]) <= index {
return []string{}
}
res := make([]string, 0)
for _, policy := range policies {
if _, ok := m[policy[0]]; policy[index] == domain && !ok {
res = append(res, policy[0])
m[policy[0]] = struct{}{}
}
}
return res
}
users = append(users, getUser(2, g.Policy, domain, m)...)
users = append(users, getUser(index, p.Policy, domain, m)...)
return users, nil
}
// DeleteAllUsersByDomain would delete all users associated with the domain.
func (e *Enforcer) DeleteAllUsersByDomain(domain string) (bool, error) {
g, err := e.model.GetAssertion("g", "g")
if err != nil {
return false, err
}
p := e.model["p"]["p"]
index, err := e.GetFieldIndex("p", constant.DomainIndex)
if err != nil {
return false, err
}
getUser := func(index int, policies [][]string, domain string) [][]string {
if len(policies) == 0 || len(policies[0]) <= index {
return [][]string{}
}
res := make([][]string, 0)
for _, policy := range policies {
if policy[index] == domain {
res = append(res, policy)
}
}
return res
}
users := getUser(2, g.Policy, domain)
if _, err = e.RemoveGroupingPolicies(users); err != nil {
return false, err
}
users = getUser(index, p.Policy, domain)
if _, err = e.RemovePolicies(users); err != nil {
return false, err
}
return true, nil
}
// DeleteDomains would delete all associated users and roles.
// It would delete all domains if parameter is not provided.
func (e *Enforcer) DeleteDomains(domains ...string) (bool, error) {
if len(domains) == 0 {
e.ClearPolicy()
return true, nil
}
for _, domain := range domains {
if _, err := e.DeleteAllUsersByDomain(domain); err != nil {
return false, err
}
}
return true, nil
}
// GetAllDomains would get all domains.
func (e *Enforcer) GetAllDomains() ([]string, error) {
if e.GetRoleManager() == nil {
return nil, fmt.Errorf("role manager is not initialized")
}
return e.GetRoleManager().GetAllDomains()
}
// GetAllRolesByDomain would get all roles associated with the domain.
// note: Not applicable to Domains with inheritance relationship (implicit roles)
func (e *Enforcer) GetAllRolesByDomain(domain string) ([]string, error) {
g, err := e.model.GetAssertion("g", "g")
if err != nil {
return []string{}, err
}
policies := g.Policy
roles := make([]string, 0)
existMap := make(map[string]bool) // remove duplicates
for _, policy := range policies {
if policy[len(policy)-1] == domain {
role := policy[len(policy)-2]
if _, ok := existMap[role]; !ok {
roles = append(roles, role)
existMap[role] = true
}
}
}
return roles, nil
}

60
vendor/github.com/casbin/casbin/v2/rbac_api_with_domains_synced.go generated vendored
View File

@@ -1,60 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package casbin
// GetUsersForRoleInDomain gets the users that has a role inside a domain. Add by Gordon.
func (e *SyncedEnforcer) GetUsersForRoleInDomain(name string, domain string) []string {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetUsersForRoleInDomain(name, domain)
}
// GetRolesForUserInDomain gets the roles that a user has inside a domain.
func (e *SyncedEnforcer) GetRolesForUserInDomain(name string, domain string) []string {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetRolesForUserInDomain(name, domain)
}
// GetPermissionsForUserInDomain gets permissions for a user or role inside a domain.
func (e *SyncedEnforcer) GetPermissionsForUserInDomain(user string, domain string) [][]string {
e.m.RLock()
defer e.m.RUnlock()
return e.Enforcer.GetPermissionsForUserInDomain(user, domain)
}
// AddRoleForUserInDomain adds a role for a user inside a domain.
// Returns false if the user already has the role (aka not affected).
func (e *SyncedEnforcer) AddRoleForUserInDomain(user string, role string, domain string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.AddRoleForUserInDomain(user, role, domain)
}
// DeleteRoleForUserInDomain deletes a role for a user inside a domain.
// Returns false if the user does not have the role (aka not affected).
func (e *SyncedEnforcer) DeleteRoleForUserInDomain(user string, role string, domain string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.DeleteRoleForUserInDomain(user, role, domain)
}
// DeleteRolesForUserInDomain deletes all roles for a user inside a domain.
// Returns false if the user does not have any roles (aka not affected).
func (e *SyncedEnforcer) DeleteRolesForUserInDomain(user string, domain string) (bool, error) {
e.m.Lock()
defer e.m.Unlock()
return e.Enforcer.DeleteRolesForUserInDomain(user, domain)
}

482
vendor/github.com/casbin/casbin/v2/util/builtin_operators.go generated vendored
View File

@@ -1,482 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package util
import (
"errors"
"fmt"
"net"
"path"
"regexp"
"strings"
"sync"
"time"
"github.com/casbin/casbin/v2/rbac"
"github.com/casbin/govaluate"
)
var (
keyMatch4Re *regexp.Regexp = regexp.MustCompile(`{([^/]+)}`)
)
// validate the variadic parameter size and type as string.
func validateVariadicArgs(expectedLen int, args ...interface{}) error {
if len(args) != expectedLen {
return fmt.Errorf("expected %d arguments, but got %d", expectedLen, len(args))
}
for _, p := range args {
_, ok := p.(string)
if !ok {
return errors.New("argument must be a string")
}
}
return nil
}
// validate the variadic string parameter size.
func validateVariadicStringArgs(expectedLen int, args ...string) error {
if len(args) != expectedLen {
return fmt.Errorf("expected %d arguments, but got %d", expectedLen, len(args))
}
return nil
}
// KeyMatch determines whether key1 matches the pattern of key2 (similar to RESTful path), key2 can contain a *.
// For example, "/foo/bar" matches "/foo/*".
func KeyMatch(key1 string, key2 string) bool {
i := strings.Index(key2, "*")
if i == -1 {
return key1 == key2
}
if len(key1) > i {
return key1[:i] == key2[:i]
}
return key1 == key2[:i]
}
// KeyMatchFunc is the wrapper for KeyMatch.
func KeyMatchFunc(args ...interface{}) (interface{}, error) {
if err := validateVariadicArgs(2, args...); err != nil {
return false, fmt.Errorf("%s: %w", "keyMatch", err)
}
name1 := args[0].(string)
name2 := args[1].(string)
return KeyMatch(name1, name2), nil
}
// KeyGet returns the matched part
// For example, "/foo/bar/foo" matches "/foo/*"
// "bar/foo" will been returned.
func KeyGet(key1, key2 string) string {
i := strings.Index(key2, "*")
if i == -1 {
return ""
}
if len(key1) > i {
if key1[:i] == key2[:i] {
return key1[i:]
}
}
return ""
}
// KeyGetFunc is the wrapper for KeyGet.
func KeyGetFunc(args ...interface{}) (interface{}, error) {
if err := validateVariadicArgs(2, args...); err != nil {
return false, fmt.Errorf("%s: %w", "keyGet", err)
}
name1 := args[0].(string)
name2 := args[1].(string)
return KeyGet(name1, name2), nil
}
// KeyMatch2 determines whether key1 matches the pattern of key2 (similar to RESTful path), key2 can contain a *.
// For example, "/foo/bar" matches "/foo/*", "/resource1" matches "/:resource".
func KeyMatch2(key1 string, key2 string) bool {
key2 = strings.Replace(key2, "/*", "/.*", -1)
re := regexp.MustCompile(`:[^/]+`)
key2 = re.ReplaceAllString(key2, "$1[^/]+$2")
return RegexMatch(key1, "^"+key2+"$")
}
// KeyMatch2Func is the wrapper for KeyMatch2.
func KeyMatch2Func(args ...interface{}) (interface{}, error) {
if err := validateVariadicArgs(2, args...); err != nil {
return false, fmt.Errorf("%s: %w", "keyMatch2", err)
}
name1 := args[0].(string)
name2 := args[1].(string)
return KeyMatch2(name1, name2), nil
}
// KeyGet2 returns value matched pattern
// For example, "/resource1" matches "/:resource"
// if the pathVar == "resource", then "resource1" will be returned.
func KeyGet2(key1, key2 string, pathVar string) string {
key2 = strings.Replace(key2, "/*", "/.*", -1)
re := regexp.MustCompile(`:[^/]+`)
keys := re.FindAllString(key2, -1)
key2 = re.ReplaceAllString(key2, "$1([^/]+)$2")
key2 = "^" + key2 + "$"
re2 := regexp.MustCompile(key2)
values := re2.FindAllStringSubmatch(key1, -1)
if len(values) == 0 {
return ""
}
for i, key := range keys {
if pathVar == key[1:] {
return values[0][i+1]
}
}
return ""
}
// KeyGet2Func is the wrapper for KeyGet2.
func KeyGet2Func(args ...interface{}) (interface{}, error) {
if err := validateVariadicArgs(3, args...); err != nil {
return false, fmt.Errorf("%s: %w", "keyGet2", err)
}
name1 := args[0].(string)
name2 := args[1].(string)
key := args[2].(string)
return KeyGet2(name1, name2, key), nil
}
// KeyMatch3 determines whether key1 matches the pattern of key2 (similar to RESTful path), key2 can contain a *.
// For example, "/foo/bar" matches "/foo/*", "/resource1" matches "/{resource}".
func KeyMatch3(key1 string, key2 string) bool {
key2 = strings.Replace(key2, "/*", "/.*", -1)
re := regexp.MustCompile(`\{[^/]+\}`)
key2 = re.ReplaceAllString(key2, "$1[^/]+$2")
return RegexMatch(key1, "^"+key2+"$")
}
// KeyMatch3Func is the wrapper for KeyMatch3.
func KeyMatch3Func(args ...interface{}) (interface{}, error) {
if err := validateVariadicArgs(2, args...); err != nil {
return false, fmt.Errorf("%s: %w", "keyMatch3", err)
}
name1 := args[0].(string)
name2 := args[1].(string)
return KeyMatch3(name1, name2), nil
}
// KeyGet3 returns value matched pattern
// For example, "project/proj_project1_admin/" matches "project/proj_{project}_admin/"
// if the pathVar == "project", then "project1" will be returned.
func KeyGet3(key1, key2 string, pathVar string) string {
key2 = strings.Replace(key2, "/*", "/.*", -1)
re := regexp.MustCompile(`\{[^/]+?\}`) // non-greedy match of `{...}` to support multiple {} in `/.../`
keys := re.FindAllString(key2, -1)
key2 = re.ReplaceAllString(key2, "$1([^/]+?)$2")
key2 = "^" + key2 + "$"
re2 := regexp.MustCompile(key2)
values := re2.FindAllStringSubmatch(key1, -1)
if len(values) == 0 {
return ""
}
for i, key := range keys {
if pathVar == key[1:len(key)-1] {
return values[0][i+1]
}
}
return ""
}
// KeyGet3Func is the wrapper for KeyGet3.
func KeyGet3Func(args ...interface{}) (interface{}, error) {
if err := validateVariadicArgs(3, args...); err != nil {
return false, fmt.Errorf("%s: %w", "keyGet3", err)
}
name1 := args[0].(string)
name2 := args[1].(string)
key := args[2].(string)
return KeyGet3(name1, name2, key), nil
}
// KeyMatch4 determines whether key1 matches the pattern of key2 (similar to RESTful path), key2 can contain a *.
// Besides what KeyMatch3 does, KeyMatch4 can also match repeated patterns:
// "/parent/123/child/123" matches "/parent/{id}/child/{id}"
// "/parent/123/child/456" does not match "/parent/{id}/child/{id}"
// But KeyMatch3 will match both.
func KeyMatch4(key1 string, key2 string) bool {
key2 = strings.Replace(key2, "/*", "/.*", -1)
tokens := []string{}
re := keyMatch4Re
key2 = re.ReplaceAllStringFunc(key2, func(s string) string {
tokens = append(tokens, s[1:len(s)-1])
return "([^/]+)"
})
re = regexp.MustCompile("^" + key2 + "$")
matches := re.FindStringSubmatch(key1)
if matches == nil {
return false
}
matches = matches[1:]
if len(tokens) != len(matches) {
panic(errors.New("KeyMatch4: number of tokens is not equal to number of values"))
}
values := map[string]string{}
for key, token := range tokens {
if _, ok := values[token]; !ok {
values[token] = matches[key]
}
if values[token] != matches[key] {
return false
}
}
return true
}
// KeyMatch4Func is the wrapper for KeyMatch4.
func KeyMatch4Func(args ...interface{}) (interface{}, error) {
if err := validateVariadicArgs(2, args...); err != nil {
return false, fmt.Errorf("%s: %w", "keyMatch4", err)
}
name1 := args[0].(string)
name2 := args[1].(string)
return KeyMatch4(name1, name2), nil
}
// KeyMatch5 determines whether key1 matches the pattern of key2 (similar to RESTful path), key2 can contain a *
// For example,
// - "/foo/bar?status=1&type=2" matches "/foo/bar"
// - "/parent/child1" and "/parent/child1" matches "/parent/*"
// - "/parent/child1?status=1" matches "/parent/*".
func KeyMatch5(key1 string, key2 string) bool {
i := strings.Index(key1, "?")
if i != -1 {
key1 = key1[:i]
}
key2 = strings.Replace(key2, "/*", "/.*", -1)
re := regexp.MustCompile(`\{[^/]+\}`)
key2 = re.ReplaceAllString(key2, "$1[^/]+$2")
return RegexMatch(key1, "^"+key2+"$")
}
// KeyMatch5Func is the wrapper for KeyMatch5.
func KeyMatch5Func(args ...interface{}) (interface{}, error) {
if err := validateVariadicArgs(2, args...); err != nil {
return false, fmt.Errorf("%s: %w", "keyMatch5", err)
}
name1 := args[0].(string)
name2 := args[1].(string)
return KeyMatch5(name1, name2), nil
}
// RegexMatch determines whether key1 matches the pattern of key2 in regular expression.
func RegexMatch(key1 string, key2 string) bool {
res, err := regexp.MatchString(key2, key1)
if err != nil {
panic(err)
}
return res
}
// RegexMatchFunc is the wrapper for RegexMatch.
func RegexMatchFunc(args ...interface{}) (interface{}, error) {
if err := validateVariadicArgs(2, args...); err != nil {
return false, fmt.Errorf("%s: %w", "regexMatch", err)
}
name1 := args[0].(string)
name2 := args[1].(string)
return RegexMatch(name1, name2), nil
}
// IPMatch determines whether IP address ip1 matches the pattern of IP address ip2, ip2 can be an IP address or a CIDR pattern.
// For example, "192.168.2.123" matches "192.168.2.0/24".
func IPMatch(ip1 string, ip2 string) bool {
objIP1 := net.ParseIP(ip1)
if objIP1 == nil {
panic("invalid argument: ip1 in IPMatch() function is not an IP address.")
}
_, cidr, err := net.ParseCIDR(ip2)
if err != nil {
objIP2 := net.ParseIP(ip2)
if objIP2 == nil {
panic("invalid argument: ip2 in IPMatch() function is neither an IP address nor a CIDR.")
}
return objIP1.Equal(objIP2)
}
return cidr.Contains(objIP1)
}
// IPMatchFunc is the wrapper for IPMatch.
func IPMatchFunc(args ...interface{}) (interface{}, error) {
if err := validateVariadicArgs(2, args...); err != nil {
return false, fmt.Errorf("%s: %w", "ipMatch", err)
}
ip1 := args[0].(string)
ip2 := args[1].(string)
return IPMatch(ip1, ip2), nil
}
// GlobMatch determines whether key1 matches the pattern of key2 using glob pattern.
func GlobMatch(key1 string, key2 string) (bool, error) {
return path.Match(key2, key1)
}
// GlobMatchFunc is the wrapper for GlobMatch.
func GlobMatchFunc(args ...interface{}) (interface{}, error) {
if err := validateVariadicArgs(2, args...); err != nil {
return false, fmt.Errorf("%s: %w", "globMatch", err)
}
name1 := args[0].(string)
name2 := args[1].(string)
return GlobMatch(name1, name2)
}
// GenerateGFunction is the factory method of the g(_, _[, _]) function.
func GenerateGFunction(rm rbac.RoleManager) govaluate.ExpressionFunction {
memorized := sync.Map{}
return func(args ...interface{}) (interface{}, error) {
// Like all our other govaluate functions, all args are strings.
// Allocate and generate a cache key from the arguments...
total := len(args)
for _, a := range args {
aStr := a.(string)
total += len(aStr)
}
builder := strings.Builder{}
builder.Grow(total)
for _, arg := range args {
builder.WriteByte(0)
builder.WriteString(arg.(string))
}
key := builder.String()
// ...and see if we've already calculated this.
v, found := memorized.Load(key)
if found {
return v, nil
}
// If not, do the calculation.
// There are guaranteed to be exactly 2 or 3 arguments.
name1, name2 := args[0].(string), args[1].(string)
if rm == nil {
v = name1 == name2
} else if len(args) == 2 {
v, _ = rm.HasLink(name1, name2)
} else {
domain := args[2].(string)
v, _ = rm.HasLink(name1, name2, domain)
}
memorized.Store(key, v)
return v, nil
}
}
// GenerateConditionalGFunction is the factory method of the g(_, _[, _]) function with conditions.
func GenerateConditionalGFunction(crm rbac.ConditionalRoleManager) govaluate.ExpressionFunction {
return func(args ...interface{}) (interface{}, error) {
// Like all our other govaluate functions, all args are strings.
var hasLink bool
name1, name2 := args[0].(string), args[1].(string)
if crm == nil {
hasLink = name1 == name2
} else if len(args) == 2 {
hasLink, _ = crm.HasLink(name1, name2)
} else {
domain := args[2].(string)
hasLink, _ = crm.HasLink(name1, name2, domain)
}
return hasLink, nil
}
}
// builtin LinkConditionFunc
// TimeMatchFunc is the wrapper for TimeMatch.
func TimeMatchFunc(args ...string) (bool, error) {
if err := validateVariadicStringArgs(2, args...); err != nil {
return false, fmt.Errorf("%s: %w", "TimeMatch", err)
}
return TimeMatch(args[0], args[1])
}
// TimeMatch determines whether the current time is between startTime and endTime.
// You can use "_" to indicate that the parameter is ignored.
func TimeMatch(startTime, endTime string) (bool, error) {
now := time.Now()
if startTime != "_" {
if start, err := time.Parse("2006-01-02 15:04:05", startTime); err != nil {
return false, err
} else if !now.After(start) {
return false, nil
}
}
if endTime != "_" {
if end, err := time.Parse("2006-01-02 15:04:05", endTime); err != nil {
return false, err
} else if !now.Before(end) {
return false, nil
}
}
return true, nil
}

383
vendor/github.com/casbin/casbin/v2/util/util.go generated vendored
View File

@@ -1,383 +0,0 @@
// Copyright 2017 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package util
import (
"encoding/json"
"regexp"
"sort"
"strings"
"sync"
)
var evalReg = regexp.MustCompile(`\beval\((?P<rule>[^)]*)\)`)
var escapeAssertionRegex = regexp.MustCompile(`\b((r|p)[0-9]*)\.`)
func JsonToMap(jsonStr string) (map[string]interface{}, error) {
result := make(map[string]interface{})
err := json.Unmarshal([]byte(jsonStr), &result)
if err != nil {
return result, err
}
return result, nil
}
// EscapeAssertion escapes the dots in the assertion, because the expression evaluation doesn't support such variable names.
func EscapeAssertion(s string) string {
s = escapeAssertionRegex.ReplaceAllStringFunc(s, func(m string) string {
return strings.Replace(m, ".", "_", 1)
})
return s
}
// RemoveComments removes the comments starting with # in the text.
func RemoveComments(s string) string {
pos := strings.Index(s, "#")
if pos == -1 {
return s
}
return strings.TrimSpace(s[0:pos])
}
// ArrayEquals determines whether two string arrays are identical.
func ArrayEquals(a []string, b []string) bool {
if len(a) != len(b) {
return false
}
for i, v := range a {
if v != b[i] {
return false
}
}
return true
}
// Array2DEquals determines whether two 2-dimensional string arrays are identical.
func Array2DEquals(a [][]string, b [][]string) bool {
if len(a) != len(b) {
return false
}
for i, v := range a {
if !ArrayEquals(v, b[i]) {
return false
}
}
return true
}
// SortArray2D Sorts the two-dimensional string array.
func SortArray2D(arr [][]string) {
if len(arr) != 0 {
sort.Slice(arr, func(i, j int) bool {
elementLen := len(arr[0])
for k := 0; k < elementLen; k++ {
if arr[i][k] < arr[j][k] {
return true
} else if arr[i][k] > arr[j][k] {
return false
}
}
return true
})
}
}
// SortedArray2DEquals determines whether two 2-dimensional string arrays are identical.
func SortedArray2DEquals(a [][]string, b [][]string) bool {
if len(a) != len(b) {
return false
}
copyA := make([][]string, len(a))
copy(copyA, a)
copyB := make([][]string, len(b))
copy(copyB, b)
SortArray2D(copyA)
SortArray2D(copyB)
for i, v := range copyA {
if !ArrayEquals(v, copyB[i]) {
return false
}
}
return true
}
// ArrayRemoveDuplicates removes any duplicated elements in a string array.
func ArrayRemoveDuplicates(s *[]string) {
found := make(map[string]bool)
j := 0
for i, x := range *s {
if !found[x] {
found[x] = true
(*s)[j] = (*s)[i]
j++
}
}
*s = (*s)[:j]
}
// ArrayToString gets a printable string for a string array.
func ArrayToString(s []string) string {
return strings.Join(s, ", ")
}
// ParamsToString gets a printable string for variable number of parameters.
func ParamsToString(s ...string) string {
return strings.Join(s, ", ")
}
// SetEquals determines whether two string sets are identical.
func SetEquals(a []string, b []string) bool {
if len(a) != len(b) {
return false
}
sort.Strings(a)
sort.Strings(b)
for i, v := range a {
if v != b[i] {
return false
}
}
return true
}
// SetEquals determines whether two int sets are identical.
func SetEqualsInt(a []int, b []int) bool {
if len(a) != len(b) {
return false
}
sort.Ints(a)
sort.Ints(b)
for i, v := range a {
if v != b[i] {
return false
}
}
return true
}
// Set2DEquals determines whether two string slice sets are identical.
func Set2DEquals(a [][]string, b [][]string) bool {
if len(a) != len(b) {
return false
}
var aa []string
for _, v := range a {
sort.Strings(v)
aa = append(aa, strings.Join(v, ", "))
}
var bb []string
for _, v := range b {
sort.Strings(v)
bb = append(bb, strings.Join(v, ", "))
}
return SetEquals(aa, bb)
}
// JoinSlice joins a string and a slice into a new slice.
func JoinSlice(a string, b ...string) []string {
res := make([]string, 0, len(b)+1)
res = append(res, a)
res = append(res, b...)
return res
}
// JoinSliceAny joins a string and a slice into a new interface{} slice.
func JoinSliceAny(a string, b ...string) []interface{} {
res := make([]interface{}, 0, len(b)+1)
res = append(res, a)
for _, s := range b {
res = append(res, s)
}
return res
}
// SetSubtract returns the elements in `a` that aren't in `b`.
func SetSubtract(a []string, b []string) []string {
mb := make(map[string]struct{}, len(b))
for _, x := range b {
mb[x] = struct{}{}
}
var diff []string
for _, x := range a {
if _, found := mb[x]; !found {
diff = append(diff, x)
}
}
return diff
}
// HasEval determine whether matcher contains function eval.
func HasEval(s string) bool {
return evalReg.MatchString(s)
}
// ReplaceEval replace function eval with the value of its parameters.
func ReplaceEval(s string, rule string) string {
return evalReg.ReplaceAllString(s, "("+rule+")")
}
// ReplaceEvalWithMap replace function eval with the value of its parameters via given sets.
func ReplaceEvalWithMap(src string, sets map[string]string) string {
return evalReg.ReplaceAllStringFunc(src, func(s string) string {
subs := evalReg.FindStringSubmatch(s)
if subs == nil {
return s
}
key := subs[1]
value, found := sets[key]
if !found {
return s
}
return evalReg.ReplaceAllString(s, value)
})
}
// GetEvalValue returns the parameters of function eval.
func GetEvalValue(s string) []string {
subMatch := evalReg.FindAllStringSubmatch(s, -1)
var rules []string
for _, rule := range subMatch {
rules = append(rules, rule[1])
}
return rules
}
func RemoveDuplicateElement(s []string) []string {
result := make([]string, 0, len(s))
temp := map[string]struct{}{}
for _, item := range s {
if _, ok := temp[item]; !ok {
temp[item] = struct{}{}
result = append(result, item)
}
}
return result
}
type node struct {
key interface{}
value interface{}
prev *node
next *node
}
type LRUCache struct {
capacity int
m map[interface{}]*node
head *node
tail *node
}
func NewLRUCache(capacity int) *LRUCache {
cache := &LRUCache{}
cache.capacity = capacity
cache.m = map[interface{}]*node{}
head := &node{}
tail := &node{}
head.next = tail
tail.prev = head
cache.head = head
cache.tail = tail
return cache
}
func (cache *LRUCache) remove(n *node, listOnly bool) {
if !listOnly {
delete(cache.m, n.key)
}
n.prev.next = n.next
n.next.prev = n.prev
}
func (cache *LRUCache) add(n *node, listOnly bool) {
if !listOnly {
cache.m[n.key] = n
}
headNext := cache.head.next
cache.head.next = n
headNext.prev = n
n.next = headNext
n.prev = cache.head
}
func (cache *LRUCache) moveToHead(n *node) {
cache.remove(n, true)
cache.add(n, true)
}
func (cache *LRUCache) Get(key interface{}) (value interface{}, ok bool) {
n, ok := cache.m[key]
if ok {
cache.moveToHead(n)
return n.value, ok
} else {
return nil, ok
}
}
func (cache *LRUCache) Put(key interface{}, value interface{}) {
n, ok := cache.m[key]
if ok {
cache.remove(n, false)
} else {
n = &node{key, value, nil, nil}
if len(cache.m) >= cache.capacity {
cache.remove(cache.tail.prev, false)
}
}
cache.add(n, false)
}
type SyncLRUCache struct {
rwm sync.RWMutex
*LRUCache
}
func NewSyncLRUCache(capacity int) *SyncLRUCache {
cache := &SyncLRUCache{}
cache.LRUCache = NewLRUCache(capacity)
return cache
}
func (cache *SyncLRUCache) Get(key interface{}) (value interface{}, ok bool) {
cache.rwm.Lock()
defer cache.rwm.Unlock()
return cache.LRUCache.Get(key)
}
func (cache *SyncLRUCache) Put(key interface{}, value interface{}) {
cache.rwm.Lock()
defer cache.rwm.Unlock()
cache.LRUCache.Put(key, value)
}

28
vendor/github.com/casbin/govaluate/.gitignore generated vendored
View File

@@ -1,28 +0,0 @@
# Compiled Object files, Static and Dynamic libs (Shared Objects)
*.o
*.a
*.so
# Folders
_obj
_test
# Architecture specific extensions/prefixes
*.[568vq]
[568vq].out
*.cgo1.go
*.cgo2.c
_cgo_defun.c
_cgo_gotypes.go
_cgo_export.*
_testmain.go
*.exe
*.test
coverage.out
manual_test.go
*.out
*.err

16
vendor/github.com/casbin/govaluate/.releaserc.json generated vendored
View File

@@ -1,16 +0,0 @@
{
"debug": true,
"branches": [
"+([0-9])?(.{+([0-9]),x}).x",
"master",
{
"name": "beta",
"prerelease": true
}
],
"plugins": [
"@semantic-release/commit-analyzer",
"@semantic-release/release-notes-generator",
"@semantic-release/github"
]
}

15
vendor/github.com/casbin/govaluate/CONTRIBUTORS generated vendored
View File

@@ -1,15 +0,0 @@
This library was authored by George Lester, and contains contributions from:
vjeantet (regex support)
iasci (ternary operator)
oxtoacart (parameter structures, deferred parameter retrieval)
wmiller848 (bitwise operators)
prashantv (optimization of bools)
dpaolella (exposure of variables used in an expression)
benpaxton (fix for missing type checks during literal elide process)
abrander (panic-finding testing tool, float32 conversions)
xfennec (fix for dates being parsed in the current Location)
bgaifullin (lifting restriction on complex/struct types)
gautambt (hexadecimal literals)
felixonmars (fix multiple typos in test names)
sambonfire (automatic type conversion for accessor function calls)

276
vendor/github.com/casbin/govaluate/EvaluableExpression.go generated vendored
View File

@@ -1,276 +0,0 @@
package govaluate
import (
"errors"
"fmt"
)
const isoDateFormat string = "2006-01-02T15:04:05.999999999Z0700"
const shortCircuitHolder int = -1
var DUMMY_PARAMETERS = MapParameters(map[string]interface{}{})
/*
EvaluableExpression represents a set of ExpressionTokens which, taken together,
are an expression that can be evaluated down into a single value.
*/
type EvaluableExpression struct {
/*
Represents the query format used to output dates. Typically only used when creating SQL or Mongo queries from an expression.
Defaults to the complete ISO8601 format, including nanoseconds.
*/
QueryDateFormat string
/*
Whether or not to safely check types when evaluating.
If true, this library will return error messages when invalid types are used.
If false, the library will panic when operators encounter types they can't use.
This is exclusively for users who need to squeeze every ounce of speed out of the library as they can,
and you should only set this to false if you know exactly what you're doing.
*/
ChecksTypes bool
tokens []ExpressionToken
evaluationStages *evaluationStage
inputExpression string
}
/*
Parses a new EvaluableExpression from the given [expression] string.
Returns an error if the given expression has invalid syntax.
*/
func NewEvaluableExpression(expression string) (*EvaluableExpression, error) {
functions := make(map[string]ExpressionFunction)
return NewEvaluableExpressionWithFunctions(expression, functions)
}
/*
Similar to [NewEvaluableExpression], except that instead of a string, an already-tokenized expression is given.
This is useful in cases where you may be generating an expression automatically, or using some other parser (e.g., to parse from a query language)
*/
func NewEvaluableExpressionFromTokens(tokens []ExpressionToken) (*EvaluableExpression, error) {
var ret *EvaluableExpression
var err error
ret = new(EvaluableExpression)
ret.QueryDateFormat = isoDateFormat
err = checkBalance(tokens)
if err != nil {
return nil, err
}
err = checkExpressionSyntax(tokens)
if err != nil {
return nil, err
}
ret.tokens, err = optimizeTokens(tokens)
if err != nil {
return nil, err
}
ret.evaluationStages, err = planStages(ret.tokens)
if err != nil {
return nil, err
}
ret.ChecksTypes = true
return ret, nil
}
/*
Similar to [NewEvaluableExpression], except enables the use of user-defined functions.
Functions passed into this will be available to the expression.
*/
func NewEvaluableExpressionWithFunctions(expression string, functions map[string]ExpressionFunction) (*EvaluableExpression, error) {
var ret *EvaluableExpression
var err error
ret = new(EvaluableExpression)
ret.QueryDateFormat = isoDateFormat
ret.inputExpression = expression
ret.tokens, err = parseTokens(expression, functions)
if err != nil {
return nil, err
}
err = checkBalance(ret.tokens)
if err != nil {
return nil, err
}
err = checkExpressionSyntax(ret.tokens)
if err != nil {
return nil, err
}
ret.tokens, err = optimizeTokens(ret.tokens)
if err != nil {
return nil, err
}
ret.evaluationStages, err = planStages(ret.tokens)
if err != nil {
return nil, err
}
ret.ChecksTypes = true
return ret, nil
}
/*
Same as `Eval`, but automatically wraps a map of parameters into a `govalute.Parameters` structure.
*/
func (this EvaluableExpression) Evaluate(parameters map[string]interface{}) (interface{}, error) {
if parameters == nil {
return this.Eval(nil)
}
return this.Eval(MapParameters(parameters))
}
/*
Runs the entire expression using the given [parameters].
e.g., If the expression contains a reference to the variable "foo", it will be taken from `parameters.Get("foo")`.
This function returns errors if the combination of expression and parameters cannot be run,
such as if a variable in the expression is not present in [parameters].
In all non-error circumstances, this returns the single value result of the expression and parameters given.
e.g., if the expression is "1 + 1", this will return 2.0.
e.g., if the expression is "foo + 1" and parameters contains "foo" = 2, this will return 3.0
*/
func (this EvaluableExpression) Eval(parameters Parameters) (interface{}, error) {
if this.evaluationStages == nil {
return nil, nil
}
if parameters != nil {
parameters = &sanitizedParameters{parameters}
} else {
parameters = DUMMY_PARAMETERS
}
return this.evaluateStage(this.evaluationStages, parameters)
}
func (this EvaluableExpression) evaluateStage(stage *evaluationStage, parameters Parameters) (interface{}, error) {
var left, right interface{}
var err error
if stage.leftStage != nil {
left, err = this.evaluateStage(stage.leftStage, parameters)
if err != nil {
return nil, err
}
}
if stage.isShortCircuitable() {
switch stage.symbol {
case AND:
if left == false {
return false, nil
}
case OR:
if left == true {
return true, nil
}
case COALESCE:
if left != nil {
return left, nil
}
case TERNARY_TRUE:
if left == false {
right = shortCircuitHolder
}
case TERNARY_FALSE:
if left != nil {
right = shortCircuitHolder
}
}
}
if right != shortCircuitHolder && stage.rightStage != nil {
right, err = this.evaluateStage(stage.rightStage, parameters)
if err != nil {
return nil, err
}
}
if this.ChecksTypes {
if stage.typeCheck == nil {
err = typeCheck(stage.leftTypeCheck, left, stage.symbol, stage.typeErrorFormat)
if err != nil {
return nil, err
}
err = typeCheck(stage.rightTypeCheck, right, stage.symbol, stage.typeErrorFormat)
if err != nil {
return nil, err
}
} else {
// special case where the type check needs to know both sides to determine if the operator can handle it
if !stage.typeCheck(left, right) {
errorMsg := fmt.Sprintf(stage.typeErrorFormat, left, stage.symbol.String())
return nil, errors.New(errorMsg)
}
}
}
return stage.operator(left, right, parameters)
}
func typeCheck(check stageTypeCheck, value interface{}, symbol OperatorSymbol, format string) error {
if check == nil {
return nil
}
if check(value) {
return nil
}
errorMsg := fmt.Sprintf(format, value, symbol.String())
return errors.New(errorMsg)
}
/*
Returns an array representing the ExpressionTokens that make up this expression.
*/
func (this EvaluableExpression) Tokens() []ExpressionToken {
return this.tokens
}
/*
Returns the original expression used to create this EvaluableExpression.
*/
func (this EvaluableExpression) String() string {
return this.inputExpression
}
/*
Returns an array representing the variables contained in this EvaluableExpression.
*/
func (this EvaluableExpression) Vars() []string {
var varlist []string
for _, val := range this.Tokens() {
if val.Kind == VARIABLE {
varlist = append(varlist, val.Value.(string))
}
}
return varlist
}

167
vendor/github.com/casbin/govaluate/EvaluableExpression_sql.go generated vendored
View File

@@ -1,167 +0,0 @@
package govaluate
import (
"errors"
"fmt"
"regexp"
"time"
)
/*
Returns a string representing this expression as if it were written in SQL.
This function assumes that all parameters exist within the same table, and that the table essentially represents
a serialized object of some sort (e.g., hibernate).
If your data model is more normalized, you may need to consider iterating through each actual token given by `Tokens()`
to create your query.
Boolean values are considered to be "1" for true, "0" for false.
Times are formatted according to this.QueryDateFormat.
*/
func (this EvaluableExpression) ToSQLQuery() (string, error) {
var stream *tokenStream
var transactions *expressionOutputStream
var transaction string
var err error
stream = newTokenStream(this.tokens)
transactions = new(expressionOutputStream)
for stream.hasNext() {
transaction, err = this.findNextSQLString(stream, transactions)
if err != nil {
return "", err
}
transactions.add(transaction)
}
return transactions.createString(" "), nil
}
func (this EvaluableExpression) findNextSQLString(stream *tokenStream, transactions *expressionOutputStream) (string, error) {
var token ExpressionToken
var ret string
token = stream.next()
switch token.Kind {
case STRING:
ret = fmt.Sprintf("'%v'", token.Value)
case PATTERN:
ret = fmt.Sprintf("'%s'", token.Value.(*regexp.Regexp).String())
case TIME:
ret = fmt.Sprintf("'%s'", token.Value.(time.Time).Format(this.QueryDateFormat))
case LOGICALOP:
switch logicalSymbols[token.Value.(string)] {
case AND:
ret = "AND"
case OR:
ret = "OR"
}
case BOOLEAN:
if token.Value.(bool) {
ret = "1"
} else {
ret = "0"
}
case VARIABLE:
ret = fmt.Sprintf("[%s]", token.Value.(string))
case NUMERIC:
ret = fmt.Sprintf("%g", token.Value.(float64))
case COMPARATOR:
switch comparatorSymbols[token.Value.(string)] {
case EQ:
ret = "="
case NEQ:
ret = "<>"
case REQ:
ret = "RLIKE"
case NREQ:
ret = "NOT RLIKE"
default:
ret = fmt.Sprintf("%s", token.Value)
}
case TERNARY:
switch ternarySymbols[token.Value.(string)] {
case COALESCE:
left := transactions.rollback()
right, err := this.findNextSQLString(stream, transactions)
if err != nil {
return "", err
}
ret = fmt.Sprintf("COALESCE(%v, %v)", left, right)
case TERNARY_TRUE:
fallthrough
case TERNARY_FALSE:
return "", errors.New("Ternary operators are unsupported in SQL output")
}
case PREFIX:
switch prefixSymbols[token.Value.(string)] {
case INVERT:
ret = "NOT"
default:
right, err := this.findNextSQLString(stream, transactions)
if err != nil {
return "", err
}
ret = fmt.Sprintf("%s%s", token.Value.(string), right)
}
case MODIFIER:
switch modifierSymbols[token.Value.(string)] {
case EXPONENT:
left := transactions.rollback()
right, err := this.findNextSQLString(stream, transactions)
if err != nil {
return "", err
}
ret = fmt.Sprintf("POW(%s, %s)", left, right)
case MODULUS:
left := transactions.rollback()
right, err := this.findNextSQLString(stream, transactions)
if err != nil {
return "", err
}
ret = fmt.Sprintf("MOD(%s, %s)", left, right)
default:
ret = fmt.Sprintf("%s", token.Value)
}
case CLAUSE:
ret = "("
case CLAUSE_CLOSE:
ret = ")"
case SEPARATOR:
ret = ","
default:
errorMsg := fmt.Sprintf("Unrecognized query token '%s' of kind '%s'", token.Value, token.Kind)
return "", errors.New(errorMsg)
}
return ret, nil
}

9
vendor/github.com/casbin/govaluate/ExpressionToken.go generated vendored
View File

@@ -1,9 +0,0 @@
package govaluate
/*
Represents a single parsed token.
*/
type ExpressionToken struct {
Kind TokenKind
Value interface{}
}

21
vendor/github.com/casbin/govaluate/LICENSE generated vendored
View File

@@ -1,21 +0,0 @@
The MIT License (MIT)
Copyright (c) 2014-2016 George Lester
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

176
vendor/github.com/casbin/govaluate/MANUAL.md generated vendored
View File

@@ -1,176 +0,0 @@
govaluate
====
This library contains quite a lot of functionality, this document is meant to be formal documentation on the operators and features of it.
Some of this documentation may duplicate what's in README.md, but should never conflict.
# Types
This library only officially deals with four types; `float64`, `bool`, `string`, and arrays.
All numeric literals, with or without a radix, will be converted to `float64` for evaluation. For instance; in practice, there is no difference between the literals "1.0" and "1", they both end up as `float64`. This matters to users because if you intend to return numeric values from your expressions, then the returned value will be `float64`, not any other numeric type.
Any string _literal_ (not parameter) which is interpretable as a date will be converted to a `float64` representation of that date's unix time. Any `time.Time` parameters will not be operable with these date literals; such parameters will need to use the `time.Time.Unix()` method to get a numeric representation.
Arrays are untyped, and can be mixed-type. Internally they're all just `interface{}`. Only two operators can interact with arrays, `IN` and `,`. All other operators will refuse to operate on arrays.
# Operators
## Modifiers
### Addition, concatenation `+`
If either left or right sides of the `+` operator are a `string`, then this operator will perform string concatenation and return that result. If neither are string, then both must be numeric, and this will return a numeric result.
Any other case is invalid.
### Arithmetic `-` `*` `/` `**` `%`
`**` refers to "take to the power of". For instance, `3 ** 4` == 81.
* _Left side_: numeric
* _Right side_: numeric
* _Returns_: numeric
### Bitwise shifts, masks `>>` `<<` `|` `&` `^`
All of these operators convert their `float64` left and right sides to `int64`, perform their operation, and then convert back.
Given how this library assumes numeric are represented (as `float64`), it is unlikely that this behavior will change, even though it may cause havoc with extremely large or small numbers.
* _Left side_: numeric
* _Right side_: numeric
* _Returns_: numeric
### Negation `-`
Prefix only. This can never have a left-hand value.
* _Right side_: numeric
* _Returns_: numeric
### Inversion `!`
Prefix only. This can never have a left-hand value.
* _Right side_: bool
* _Returns_: bool
### Bitwise NOT `~`
Prefix only. This can never have a left-hand value.
* _Right side_: numeric
* _Returns_: numeric
## Logical Operators
For all logical operators, this library will short-circuit the operation if the left-hand side is sufficient to determine what to do. For instance, `true || expensiveOperation()` will not actually call `expensiveOperation()`, since it knows the left-hand side is `true`.
### Logical AND/OR `&&` `||`
* _Left side_: bool
* _Right side_: bool
* _Returns_: bool
### Ternary true `?`
Checks if the left side is `true`. If so, returns the right side. If the left side is `false`, returns `nil`.
In practice, this is commonly used with the other ternary operator.
* _Left side_: bool
* _Right side_: Any type.
* _Returns_: Right side or `nil`
### Ternary false `:`
Checks if the left side is `nil`. If so, returns the right side. If the left side is non-nil, returns the left side.
In practice, this is commonly used with the other ternary operator.
* _Left side_: Any type.
* _Right side_: Any type.
* _Returns_: Right side or `nil`
### Null coalescence `??`
Similar to the C# operator. If the left value is non-nil, it returns that. If not, then the right-value is returned.
* _Left side_: Any type.
* _Right side_: Any type.
* _Returns_: No specific type - whichever is passed to it.
## Comparators
### Numeric/lexicographic comparators `>` `<` `>=` `<=`
If both sides are numeric, this returns the usual greater/lesser behavior that would be expected.
If both sides are string, this returns the lexicographic comparison of the strings. This uses Go's standard lexicographic compare.
* _Accepts_: Left and right side must either be both string, or both numeric.
* _Returns_: bool
### Regex comparators `=~` `!~`
These use go's standard `regexp` flavor of regex. The left side is expected to be the candidate string, the right side is the pattern. `=~` returns whether or not the candidate string matches the regex pattern given on the right. `!~` is the inverted version of the same logic.
* _Left side_: string
* _Right side_: string
* _Returns_: bool
## Arrays
### Separator `,`
The separator, always paired with parenthesis, creates arrays. It must always have both a left and right-hand value, so for instance `(, 0)` and `(0,)` are invalid uses of it.
Again, this should always be used with parenthesis; like `(1, 2, 3, 4)`.
### Membership `IN`
The only operator with a text name, this operator checks the right-hand side array to see if it contains a value that is equal to the left-side value.
Equality is determined by the use of the `==` operator, and this library doesn't check types between the values. Any two values, when cast to `interface{}`, and can still be checked for equality with `==` will act as expected.
Note that you can use a parameter for the array, but it must be an `[]interface{}`.
* _Left side_: Any type.
* _Right side_: array
* _Returns_: bool
# Parameters
Parameters must be passed in every time the expression is evaluated. Parameters can be of any type, but will not cause errors unless actually used in an erroneous way. There is no difference in behavior for any of the above operators for parameters - they are type checked when used.
All `int` and `float` values of any width will be converted to `float64` before use.
At no point is the parameter structure, or any value thereof, modified by this library.
## Alternates to maps
The default form of parameters as a map may not serve your use case. You may have parameters in some other structure, you may want to change the no-parameter-found behavior, or maybe even just have some debugging print statements invoked when a parameter is accessed.
To do this, define a type that implements the `govaluate.Parameters` interface. When you want to evaluate, instead call `EvaluableExpression.Eval` and pass your parameter structure.
# Functions
During expression parsing (_not_ evaluation), a map of functions can be given to `govaluate.NewEvaluableExpressionWithFunctions` (the lengthiest and finest of function names). The resultant expression will be able to invoke those functions during evaluation. Once parsed, an expression cannot have functions added or removed - a new expression will need to be created if you want to change the functions, or behavior of said functions.
Functions always take the form `<name>(<parameters>)`, including parens. Functions can have an empty list of parameters, like `<name>()`, but still must have parens.
If the expression contains something that looks like it ought to be a function (such as `foo()`), but no such function was given to it, it will error on parsing.
Functions must be of type `map[string]govaluate.ExpressionFunction`. `ExpressionFunction`, for brevity, has the following signature:
`func(args ...interface{}) (interface{}, error)`
Where `args` is whatever is passed to the function when called. If a non-nil error is returned from a function during evaluation, the evaluation stops and ultimately returns that error to the caller of `Evaluate()` or `Eval()`.
## Built-in functions
There aren't any builtin functions. The author is opposed to maintaining a standard library of functions to be used.
Every use case of this library is different, and even in simple use cases (such as parameters, see above) different users need different behavior, naming, or even functionality. The author prefers that users make their own decisions about what functions they need, and how they operate.
# Equality
The `==` and `!=` operators involve a moderately complex workflow. They use [`reflect.DeepEqual`](https://golang.org/pkg/reflect/#DeepEqual). This is for complicated reasons, but there are some types in Go that cannot be compared with the native `==` operator. Arrays, in particular, cannot be compared - Go will panic if you try. One might assume this could be handled with the type checking system in `govaluate`, but unfortunately without reflection there is no way to know if a variable is a slice/array. Worse, structs can be incomparable if they _contain incomparable types_.
It's all very complicated. Fortunately, Go includes the `reflect.DeepEqual` function to handle all the edge cases. Currently, `govaluate` uses that for all equality/inequality.

Some files were not shown because too many files have changed in this diff Show More