diff --git a/src/biz/casbin/access_control.rs b/src/biz/casbin/access_control.rs index 11f5b335..6478ade2 100644 --- a/src/biz/casbin/access_control.rs +++ b/src/biz/casbin/access_control.rs @@ -124,6 +124,38 @@ impl AccessControl { } } +/// policy in db: +/// p = 1, 123, 1 (1 mean AFRole::Owner) +/// p = 1, 456, 50 (50 mean AFAccessLevel::FullAccess) +/// +/// role_definition in db: +/// g = _, _ +/// af role: +/// ["1", "delete"], ["1", "write"], ["1", "read"], +/// ["2", "write"], ["2", "read"], +/// ["3", "read"], +/// af access level: +/// ["10", "read"], +/// ["20", "read"], +/// ["30", "read"], ["30", "write"], +/// ["50", "read"], ["50", "write"], ["50", "delete"] +/// +/// matchers: +/// r.sub == p.sub && p.obj == r.obj && g(p.act, r.act) +/// +/// Example: +/// request: +/// 1. api/workspace/123, user=1, workspace_id=123 GET +/// r = sub = 1, obj = 123, act =read +/// p = sub = 1, obj = 123, act = 1 +/// +/// Evaluation: +/// 1. Subject Match: r.sub == p.sub +/// 2. Object Match: p.obj == r.obj +/// 3. Action Permission: g(p.act, r.act) => g(1, read) => ["1", "read"] +/// Result: +/// Allow +/// pub const MODEL_CONF: &str = r###" [request_definition] r = sub, obj, act @@ -133,13 +165,12 @@ p = sub, obj, act [role_definition] g = _, _ # rule for action -g2 = _, _ # rule for collab object id [policy_effect] e = some(where (p.eft == allow)) [matchers] -m = r.sub == p.sub && g2(p.obj, r.obj) && g(p.act, r.act) +m = r.sub == p.sub && p.obj == r.obj && g(p.act, r.act) "###; /// Represents the entity stored at the index of the access control policy. diff --git a/src/biz/casbin/adapter.rs b/src/biz/casbin/adapter.rs index 78797559..8d9f2727 100644 --- a/src/biz/casbin/adapter.rs +++ b/src/biz/casbin/adapter.rs @@ -134,7 +134,6 @@ impl Adapter for PgAdapter { }, } } - // Grouping definition `g` of type `g`. See `model.conf` model.add_policies("g", "g", grouping_policies); self diff --git a/src/biz/casbin/collab_ac.rs b/src/biz/casbin/collab_ac.rs index 3941adba..61a5973f 100644 --- a/src/biz/casbin/collab_ac.rs +++ b/src/biz/casbin/collab_ac.rs @@ -1,4 +1,4 @@ -use crate::biz::casbin::access_control::AccessControl; +use crate::biz::casbin::access_control::{AccessControl, Action}; use crate::biz::casbin::access_control::{ActionType, ObjectType}; use actix_http::Method; use app_error::AppError; @@ -69,31 +69,31 @@ impl CollabAccessControl for CollabAccessControlImpl { async fn can_access_http_method( &self, - _uid: &i64, - _oid: &str, - _method: &Method, + uid: &i64, + oid: &str, + method: &Method, ) -> Result { - Ok(true) - // let action = Action::from(method); - // self - // .access_control - // .enforce(uid, &ObjectType::Collab(oid), action) - // .await + // Ok(true) + let action = Action::from(method); + self + .access_control + .enforce(uid, &ObjectType::Collab(oid), action) + .await } - async fn can_send_collab_update(&self, _uid: &i64, _oid: &str) -> Result { - Ok(true) - // self - // .access_control - // .enforce(uid, &ObjectType::Collab(oid), Action::Write) - // .await + async fn can_send_collab_update(&self, uid: &i64, oid: &str) -> Result { + // Ok(true) + self + .access_control + .enforce(uid, &ObjectType::Collab(oid), Action::Write) + .await } - async fn can_receive_collab_update(&self, _uid: &i64, _oid: &str) -> Result { - Ok(true) - // self - // .access_control - // .enforce(uid, &ObjectType::Collab(oid), Action::Read) - // .await + async fn can_receive_collab_update(&self, uid: &i64, oid: &str) -> Result { + // Ok(true) + self + .access_control + .enforce(uid, &ObjectType::Collab(oid), Action::Read) + .await } } diff --git a/src/biz/casbin/enforcer.rs b/src/biz/casbin/enforcer.rs index 5da0565f..7c9324ba 100644 --- a/src/biz/casbin/enforcer.rs +++ b/src/biz/casbin/enforcer.rs @@ -160,6 +160,7 @@ impl AFEnforcer { .get_filtered_policy(POLICY_FIELD_INDEX_OBJECT, vec![obj.to_object_id()]); if policies_for_object.is_empty() { + self.enforcer_result_cache.insert(policy_key, true); return Ok(true); } diff --git a/tests/user/sign_up.rs b/tests/user/sign_up.rs index 393c6603..1afb8042 100644 --- a/tests/user/sign_up.rs +++ b/tests/user/sign_up.rs @@ -64,7 +64,7 @@ async fn sign_up_oauth_not_available() { #[tokio::test] async fn concurrent_user_sign_up_test() { let mut tasks = Vec::new(); - for _i in 0..50 { + for _i in 0..30 { let task = tokio::spawn(async move { let _ = TestClient::new_user().await; tokio::time::sleep(Duration::from_millis(300)).await;