docs: casbin (#332)

2024-02-20 10:53:33 +08:00 · 2024-02-20 10:53:33 +08:00 · 2992f44e44
parent 8e36792dd9
commit 2992f44e44
5 changed files with 57 additions and 26 deletions
--- a/src/biz/casbin/access_control.rs
+++ b/src/biz/casbin/access_control.rs
@ -124,6 +124,38 @@ impl AccessControl {
  }
 }

+/// policy in db:
+///   p = 1, 123, 1 (1 mean AFRole::Owner)
+///   p = 1, 456, 50 (50 mean AFAccessLevel::FullAccess)
+///
+/// role_definition in db:
+///   g = _, _
+///      af role:
+///      ["1", "delete"], ["1", "write"], ["1", "read"],
+///      ["2", "write"], ["2", "read"],
+///      ["3", "read"],
+///      af access level:
+///      ["10", "read"],
+///      ["20", "read"],
+///      ["30", "read"], ["30", "write"],
+///      ["50", "read"], ["50", "write"], ["50", "delete"]
+///
+/// matchers:
+/// r.sub == p.sub && p.obj == r.obj && g(p.act, r.act)
+///
+/// Example:
+///   request:
+///    1. api/workspace/123, user=1, workspace_id=123 GET
+///     r = sub = 1, obj = 123, act =read
+///     p = sub = 1, obj = 123, act = 1
+///
+///    Evaluation:
+///     1. Subject Match: r.sub == p.sub
+///     2. Object Match: p.obj == r.obj
+///     3. Action Permission: g(p.act, r.act) => g(1, read) =>  ["1", "read"]
+///    Result:
+///     Allow
+///
 pub const MODEL_CONF: &str = r###"
 [request_definition]
 r = sub, obj, act
@ -133,13 +165,12 @@ p = sub, obj, act

 [role_definition]
 g = _, _ # rule for action
-g2 = _, _ # rule for collab object id

 [policy_effect]
 e = some(where (p.eft == allow))

 [matchers]
-m = r.sub == p.sub && g2(p.obj, r.obj) && g(p.act, r.act)
+m = r.sub == p.sub && p.obj == r.obj && g(p.act, r.act)
 "###;

 /// Represents the entity stored at the index of the access control policy.
--- a/src/biz/casbin/adapter.rs
+++ b/src/biz/casbin/adapter.rs
@ -134,7 +134,6 @@ impl Adapter for PgAdapter {
        },
      }
    }
-
    // Grouping definition `g` of type `g`. See `model.conf`
    model.add_policies("g", "g", grouping_policies);
    self
--- a/src/biz/casbin/collab_ac.rs
+++ b/src/biz/casbin/collab_ac.rs
@ -1,4 +1,4 @@
-use crate::biz::casbin::access_control::AccessControl;
+use crate::biz::casbin::access_control::{AccessControl, Action};
 use crate::biz::casbin::access_control::{ActionType, ObjectType};
 use actix_http::Method;
 use app_error::AppError;
@ -69,31 +69,31 @@ impl CollabAccessControl for CollabAccessControlImpl {

  async fn can_access_http_method(
    &self,
-    _uid: &i64,
-    _oid: &str,
-    _method: &Method,
+    uid: &i64,
+    oid: &str,
+    method: &Method,
  ) -> Result<bool, AppError> {
-    Ok(true)
-    // let action = Action::from(method);
-    // self
-    //   .access_control
-    //   .enforce(uid, &ObjectType::Collab(oid), action)
-    //   .await
+    // Ok(true)
+    let action = Action::from(method);
+    self
+      .access_control
+      .enforce(uid, &ObjectType::Collab(oid), action)
+      .await
  }

-  async fn can_send_collab_update(&self, _uid: &i64, _oid: &str) -> Result<bool, AppError> {
-    Ok(true)
-    // self
-    //   .access_control
-    //   .enforce(uid, &ObjectType::Collab(oid), Action::Write)
-    //   .await
+  async fn can_send_collab_update(&self, uid: &i64, oid: &str) -> Result<bool, AppError> {
+    // Ok(true)
+    self
+      .access_control
+      .enforce(uid, &ObjectType::Collab(oid), Action::Write)
+      .await
  }

-  async fn can_receive_collab_update(&self, _uid: &i64, _oid: &str) -> Result<bool, AppError> {
-    Ok(true)
-    // self
-    //   .access_control
-    //   .enforce(uid, &ObjectType::Collab(oid), Action::Read)
-    //   .await
+  async fn can_receive_collab_update(&self, uid: &i64, oid: &str) -> Result<bool, AppError> {
+    // Ok(true)
+    self
+      .access_control
+      .enforce(uid, &ObjectType::Collab(oid), Action::Read)
+      .await
  }
 }
--- a/src/biz/casbin/enforcer.rs
+++ b/src/biz/casbin/enforcer.rs
@ -160,6 +160,7 @@ impl AFEnforcer {
      .get_filtered_policy(POLICY_FIELD_INDEX_OBJECT, vec![obj.to_object_id()]);

    if policies_for_object.is_empty() {
+      self.enforcer_result_cache.insert(policy_key, true);
      return Ok(true);
    }

--- a/tests/user/sign_up.rs
+++ b/tests/user/sign_up.rs
@ -64,7 +64,7 @@ async fn sign_up_oauth_not_available() {
 #[tokio::test]
 async fn concurrent_user_sign_up_test() {
  let mut tasks = Vec::new();
-  for _i in 0..50 {
+  for _i in 0..30 {
    let task = tokio::spawn(async move {
      let _ = TestClient::new_user().await;
      tokio::time::sleep(Duration::from_millis(300)).await;