Added experiment casbin and different polices used for RESTful API.

Use "go test" to run the tests and verify they pass.

Added experiment casbin and different polices used for RESTful API.
Use "go test" to run the tests and verify they pass.
07970d05 · Marcin Siodelski · bfdb9aac · 07970d05 · 07970d05 · 07970d05
Commit 07970d05 authored Oct 02, 2019 by Marcin Siodelski
--- a/backend/go.mod
+++ b/backend/go.mod
@@ -2,4 +2,7 @@ module isc.org/stork

 go 1.13

-require github.com/gin-gonic/gin v1.4.0
+require (
+	github.com/casbin/casbin v1.9.1
+	github.com/gin-gonic/gin v1.4.0
+)
--- a/backend/go.sum
+++ b/backend/go.sum
+github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible h1:1G1pk05UrOh0NlF1oeaaix1x8XzrfjIDK47TY0Zehcw=
+github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
+github.com/casbin/casbin v1.9.1 h1:ucjbS5zTrmSLtH4XogqOG920Poe6QatdXtz1FEbApeM=
+github.com/casbin/casbin v1.9.1/go.mod h1:z8uPsfBJGUsnkagrt3G8QvjgTKFMBJ32UP8HpZllfog=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/gin-contrib/sse v0.0.0-20190301062529-5545eab6dad3 h1:t8FVkw33L+wilf2QiWkw0UV77qRpcH/JHPKGpKa2E8g=
 github.com/gin-contrib/sse v0.0.0-20190301062529-5545eab6dad3/go.mod h1:VJ0WA2NBN22VlZ2dKZQPAPnyWw5XTlK1KymzLKsr59s=

--- a/backend/model.conf
+++ b/backend/model.conf
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = (g(r.sub, p.sub) || r.sub == p.sub) && keyMatch3(r.obj, p.obj) && regexMatch(r.act, p.act)
--- a/backend/policy.csv
+++ b/backend/policy.csv
+p, marcin, /servers/2/*, (GET)|(POST)|(PUT)|(DELETE)
+p, xiong, /servers/3/*, GET
+p, subnet_watchers, /subnets, GET
+g, marcin, subnet_watchers
+p, machine_managers, /machines/{id}/*, (GET)|(POST)|(PUT)|(DELETE)
+g, marcin, machine_managers
+
--- a/backend/policy_test.go
+++ b/backend/policy_test.go
+package main
+
+import (
+	"github.com/casbin/casbin"
+	"github.com/casbin/casbin/util"
+	"testing"
+)
+
+
+func enforcePolicy(params ...interface{}) bool {
+	// Ready the model and the policy from the files. In the real case
+	// they will be read from the database.
+	e := casbin.NewEnforcer("./model.conf", "./policy.csv")
+
+	// There are several standard matching functions used in the models
+	// but some of them are not registered by default. The keyMatch3 is
+	// one of them.
+	e.AddFunction("keyMatch3", util.KeyMatch3Func)
+
+	res, err := e.EnforceSafe(params...)
+
+	if err != nil {
+		panic(err.Error())
+	}
+
+	return res
+}
+
+func TestPolicies(t *testing.T) {
+	// User marcin can manage server 2
+	if !enforcePolicy("marcin", "/servers/2/subnets/3", "POST") {
+		t.Errorf("user marcin should be able to manage server 2")
+	}
+
+	// User xiong can't manage server 2
+	if enforcePolicy("xiong", "/servers/2/subnets/3", "POST") {
+		t.Errorf("user xiong should not be able to manage server 2")
+	}
+
+	// but user xiong can view server 3
+	if !enforcePolicy("xiong", "/servers/3/subnets/3", "GET") {
+		t.Errorf("user xiong should be able to view server 3")
+	}
+
+	// user xiong cannot modify server 3
+	if enforcePolicy("xiong", "/servers/3/subnets/3", "POST") {
+		t.Errorf("user xiong should not be able to modify server 3")
+	}
+
+	// user marcin should be able to list all subnets
+	if !enforcePolicy("marcin", "/subnets", "GET") {
+		t.Errorf("user marcin should be able to view fetched subnets")
+	}
+
+	// but user xiong shouldn't be able to list all subnets
+	if enforcePolicy("xiong", "/subnets", "GET") {
+		t.Errorf("user xiong should not be able to view fetched subnets")
+	}
+
+	// marcin should be able to manage a machine as he belongs to the
+	// machine_managers
+	if !enforcePolicy("marcin", "/machines/1/os", "POST") {
+		t.Errorf("user marcin should be able to manage the machine elements")
+	}
+}