docs: casbin (#332)
This commit is contained in:
Nathan.fooo
GitHub
parent
8e36792dd9
commit
2992f44e44
|
|
@ -124,6 +124,38 @@ impl AccessControl {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// policy in db:
|
||||||
|
/// p = 1, 123, 1 (1 mean AFRole::Owner)
|
||||||
|
/// p = 1, 456, 50 (50 mean AFAccessLevel::FullAccess)
|
||||||
|
///
|
||||||
|
/// role_definition in db:
|
||||||
|
/// g = _, _
|
||||||
|
/// af role:
|
||||||
|
/// ["1", "delete"], ["1", "write"], ["1", "read"],
|
||||||
|
/// ["2", "write"], ["2", "read"],
|
||||||
|
/// ["3", "read"],
|
||||||
|
/// af access level:
|
||||||
|
/// ["10", "read"],
|
||||||
|
/// ["20", "read"],
|
||||||
|
/// ["30", "read"], ["30", "write"],
|
||||||
|
/// ["50", "read"], ["50", "write"], ["50", "delete"]
|
||||||
|
///
|
||||||
|
/// matchers:
|
||||||
|
/// r.sub == p.sub && p.obj == r.obj && g(p.act, r.act)
|
||||||
|
///
|
||||||
|
/// Example:
|
||||||
|
/// request:
|
||||||
|
/// 1. api/workspace/123, user=1, workspace_id=123 GET
|
||||||
|
/// r = sub = 1, obj = 123, act =read
|
||||||
|
/// p = sub = 1, obj = 123, act = 1
|
||||||
|
///
|
||||||
|
/// Evaluation:
|
||||||
|
/// 1. Subject Match: r.sub == p.sub
|
||||||
|
/// 2. Object Match: p.obj == r.obj
|
||||||
|
/// 3. Action Permission: g(p.act, r.act) => g(1, read) => ["1", "read"]
|
||||||
|
/// Result:
|
||||||
|
/// Allow
|
||||||
|
///
|
||||||
pub const MODEL_CONF: &str = r###"
|
pub const MODEL_CONF: &str = r###"
|
||||||
[request_definition]
|
[request_definition]
|
||||||
r = sub, obj, act
|
r = sub, obj, act
|
||||||
|
|
@ -133,13 +165,12 @@ p = sub, obj, act
|
||||||
|
|
||||||
[role_definition]
|
[role_definition]
|
||||||
g = _, _ # rule for action
|
g = _, _ # rule for action
|
||||||
g2 = _, _ # rule for collab object id
|
|
||||||
|
|
||||||
[policy_effect]
|
[policy_effect]
|
||||||
e = some(where (p.eft == allow))
|
e = some(where (p.eft == allow))
|
||||||
|
|
||||||
[matchers]
|
[matchers]
|
||||||
m = r.sub == p.sub && g2(p.obj, r.obj) && g(p.act, r.act)
|
m = r.sub == p.sub && p.obj == r.obj && g(p.act, r.act)
|
||||||
"###;
|
"###;
|
||||||
|
|
||||||
/// Represents the entity stored at the index of the access control policy.
|
/// Represents the entity stored at the index of the access control policy.
|
||||||
|
|
|
||||||
|
|
@ -134,7 +134,6 @@ impl Adapter for PgAdapter {
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Grouping definition `g` of type `g`. See `model.conf`
|
// Grouping definition `g` of type `g`. See `model.conf`
|
||||||
model.add_policies("g", "g", grouping_policies);
|
model.add_policies("g", "g", grouping_policies);
|
||||||
self
|
self
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
use crate::biz::casbin::access_control::AccessControl;
|
use crate::biz::casbin::access_control::{AccessControl, Action};
|
||||||
use crate::biz::casbin::access_control::{ActionType, ObjectType};
|
use crate::biz::casbin::access_control::{ActionType, ObjectType};
|
||||||
use actix_http::Method;
|
use actix_http::Method;
|
||||||
use app_error::AppError;
|
use app_error::AppError;
|
||||||
|
|
@ -69,31 +69,31 @@ impl CollabAccessControl for CollabAccessControlImpl {
|
||||||
|
|
||||||
async fn can_access_http_method(
|
async fn can_access_http_method(
|
||||||
&self,
|
&self,
|
||||||
_uid: &i64,
|
uid: &i64,
|
||||||
_oid: &str,
|
oid: &str,
|
||||||
_method: &Method,
|
method: &Method,
|
||||||
) -> Result<bool, AppError> {
|
) -> Result<bool, AppError> {
|
||||||
Ok(true)
|
// Ok(true)
|
||||||
// let action = Action::from(method);
|
let action = Action::from(method);
|
||||||
// self
|
self
|
||||||
// .access_control
|
.access_control
|
||||||
// .enforce(uid, &ObjectType::Collab(oid), action)
|
.enforce(uid, &ObjectType::Collab(oid), action)
|
||||||
// .await
|
.await
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn can_send_collab_update(&self, _uid: &i64, _oid: &str) -> Result<bool, AppError> {
|
async fn can_send_collab_update(&self, uid: &i64, oid: &str) -> Result<bool, AppError> {
|
||||||
Ok(true)
|
// Ok(true)
|
||||||
// self
|
self
|
||||||
// .access_control
|
.access_control
|
||||||
// .enforce(uid, &ObjectType::Collab(oid), Action::Write)
|
.enforce(uid, &ObjectType::Collab(oid), Action::Write)
|
||||||
// .await
|
.await
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn can_receive_collab_update(&self, _uid: &i64, _oid: &str) -> Result<bool, AppError> {
|
async fn can_receive_collab_update(&self, uid: &i64, oid: &str) -> Result<bool, AppError> {
|
||||||
Ok(true)
|
// Ok(true)
|
||||||
// self
|
self
|
||||||
// .access_control
|
.access_control
|
||||||
// .enforce(uid, &ObjectType::Collab(oid), Action::Read)
|
.enforce(uid, &ObjectType::Collab(oid), Action::Read)
|
||||||
// .await
|
.await
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -160,6 +160,7 @@ impl AFEnforcer {
|
||||||
.get_filtered_policy(POLICY_FIELD_INDEX_OBJECT, vec![obj.to_object_id()]);
|
.get_filtered_policy(POLICY_FIELD_INDEX_OBJECT, vec![obj.to_object_id()]);
|
||||||
|
|
||||||
if policies_for_object.is_empty() {
|
if policies_for_object.is_empty() {
|
||||||
|
self.enforcer_result_cache.insert(policy_key, true);
|
||||||
return Ok(true);
|
return Ok(true);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -64,7 +64,7 @@ async fn sign_up_oauth_not_available() {
|
||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
async fn concurrent_user_sign_up_test() {
|
async fn concurrent_user_sign_up_test() {
|
||||||
let mut tasks = Vec::new();
|
let mut tasks = Vec::new();
|
||||||
for _i in 0..50 {
|
for _i in 0..30 {
|
||||||
let task = tokio::spawn(async move {
|
let task = tokio::spawn(async move {
|
||||||
let _ = TestClient::new_user().await;
|
let _ = TestClient::new_user().await;
|
||||||
tokio::time::sleep(Duration::from_millis(300)).await;
|
tokio::time::sleep(Duration::from_millis(300)).await;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue