Define default policies to mimic current behaviour

iam/access.go

@@ -1,9 +1,11 @@
 package iam
 
 import (
+	"fmt"
 	"strings"
 
 	"github.com/datarhei/core/v16/io/fs"
+	"github.com/datarhei/core/v16/log"
 
 	"github.com/casbin/casbin/v2"
 	"github.com/casbin/casbin/v2/model"
@@ -11,23 +13,41 @@ import (
 
 type AccessEnforcer interface {
 	Enforce(name, domain, resource, action string) (bool, string)
+	HasGroup(name string) bool
 }
 
 type AccessManager interface {
 	AccessEnforcer
 
-	AddPolicy()
+	AddPolicy(username, domain, resource, actions string) bool
+	RemovePolicy(username, domain, resource, actions string) bool
 }
 
 type access struct {
-	fs fs.Filesystem
+	fs     fs.Filesystem
+	logger log.Logger
 
+	adapter  *adapter
 	enforcer *casbin.Enforcer
 }
 
-func NewAccessManager(fs fs.Filesystem) (AccessManager, error) {
+type AccessConfig struct {
+	FS     fs.Filesystem
+	Logger log.Logger
+}
+
+func NewAccessManager(config AccessConfig) (AccessManager, error) {
 	am := &access{
-		fs: fs,
+		fs:     config.FS,
+		logger: config.Logger,
+	}
+
+	if am.fs == nil {
+		return nil, fmt.Errorf("a filesystem has to be provided")
+	}
+
+	if am.logger == nil {
+		am.logger = log.New("")
 	}
 
 	m := model.NewModel()
@@ -37,7 +57,7 @@ func NewAccessManager(fs fs.Filesystem) (AccessManager, error) {
 	m.AddDef("e", "e", "some(where (p.eft == allow))")
 	m.AddDef("m", "m", `g(r.sub, p.sub, r.dom) && r.dom == p.dom && ResourceMatch(r.obj, r.dom, p.obj) && ActionMatch(r.act, p.act) || r.sub == "$superuser"`)
 
-	a := newAdapter(fs, "./policy.json")
+	a := newAdapter(am.fs, "./policy.json", am.logger)
 
 	e, err := casbin.NewEnforcer(m, a)
 	if err != nil {
@@ -48,13 +68,60 @@ func NewAccessManager(fs fs.Filesystem) (AccessManager, error) {
 	e.AddFunction("ActionMatch", actionMatchFunc)
 
 	am.enforcer = e
+	am.adapter = a
 
 	return am, nil
 }
 
-func (am *access) AddPolicy() {}
+func (am *access) AddPolicy(username, domain, resource, actions string) bool {
+	policy := []string{username, domain, resource, actions}
+
+	if am.enforcer.HasPolicy(policy) {
+		return true
+	}
+
+	ok, _ := am.enforcer.AddPolicy(policy)
+
+	return ok
+}
+
+func (am *access) RemovePolicy(username, domain, resource, actions string) bool {
+	policies := am.enforcer.GetFilteredPolicy(0, username, domain, resource, actions)
+	am.enforcer.RemovePolicies(policies)
+
+	return true
+}
+
+func (am *access) HasGroup(name string) bool {
+	groups, err := am.enforcer.GetAllDomains()
+	if err != nil {
+		return false
+	}
+
+	for _, g := range groups {
+		if g == name {
+			return true
+		}
+	}
+
+	return false
+}
+
 func (am *access) Enforce(name, domain, resource, action string) (bool, string) {
+	l := am.logger.Debug().WithFields(log.Fields{
+		"subject":  name,
+		"domain":   domain,
+		"resource": resource,
+		"action":   action,
+	})
+
 	ok, rule, _ := am.enforcer.EnforceEx(name, domain, resource, action)
 
+	if !ok {
+		l.Log("no match")
+	} else {
+		l.WithField("rule", strings.Join(rule, ", ")).Log("match")
+	}
+
 	return ok, strings.Join(rule, ", ")
 }