Commit 07970d05 authored by Marcin Siodelski's avatar Marcin Siodelski
Browse files

Added experiment casbin and different polices used for RESTful API.

Use "go test" to run the tests and verify they pass.
parent bfdb9aac
......@@ -2,4 +2,7 @@ module isc.org/stork
go 1.13
require github.com/gin-gonic/gin v1.4.0
require (
github.com/casbin/casbin v1.9.1
github.com/gin-gonic/gin v1.4.0
)
github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible h1:1G1pk05UrOh0NlF1oeaaix1x8XzrfjIDK47TY0Zehcw=
github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
github.com/casbin/casbin v1.9.1 h1:ucjbS5zTrmSLtH4XogqOG920Poe6QatdXtz1FEbApeM=
github.com/casbin/casbin v1.9.1/go.mod h1:z8uPsfBJGUsnkagrt3G8QvjgTKFMBJ32UP8HpZllfog=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/gin-contrib/sse v0.0.0-20190301062529-5545eab6dad3 h1:t8FVkw33L+wilf2QiWkw0UV77qRpcH/JHPKGpKa2E8g=
github.com/gin-contrib/sse v0.0.0-20190301062529-5545eab6dad3/go.mod h1:VJ0WA2NBN22VlZ2dKZQPAPnyWw5XTlK1KymzLKsr59s=
......
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[role_definition]
g = _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = (g(r.sub, p.sub) || r.sub == p.sub) && keyMatch3(r.obj, p.obj) && regexMatch(r.act, p.act)
p, marcin, /servers/2/*, (GET)|(POST)|(PUT)|(DELETE)
p, xiong, /servers/3/*, GET
p, subnet_watchers, /subnets, GET
g, marcin, subnet_watchers
p, machine_managers, /machines/{id}/*, (GET)|(POST)|(PUT)|(DELETE)
g, marcin, machine_managers
package main
import (
"github.com/casbin/casbin"
"github.com/casbin/casbin/util"
"testing"
)
func enforcePolicy(params ...interface{}) bool {
// Ready the model and the policy from the files. In the real case
// they will be read from the database.
e := casbin.NewEnforcer("./model.conf", "./policy.csv")
// There are several standard matching functions used in the models
// but some of them are not registered by default. The keyMatch3 is
// one of them.
e.AddFunction("keyMatch3", util.KeyMatch3Func)
res, err := e.EnforceSafe(params...)
if err != nil {
panic(err.Error())
}
return res
}
func TestPolicies(t *testing.T) {
// User marcin can manage server 2
if !enforcePolicy("marcin", "/servers/2/subnets/3", "POST") {
t.Errorf("user marcin should be able to manage server 2")
}
// User xiong can't manage server 2
if enforcePolicy("xiong", "/servers/2/subnets/3", "POST") {
t.Errorf("user xiong should not be able to manage server 2")
}
// but user xiong can view server 3
if !enforcePolicy("xiong", "/servers/3/subnets/3", "GET") {
t.Errorf("user xiong should be able to view server 3")
}
// user xiong cannot modify server 3
if enforcePolicy("xiong", "/servers/3/subnets/3", "POST") {
t.Errorf("user xiong should not be able to modify server 3")
}
// user marcin should be able to list all subnets
if !enforcePolicy("marcin", "/subnets", "GET") {
t.Errorf("user marcin should be able to view fetched subnets")
}
// but user xiong shouldn't be able to list all subnets
if enforcePolicy("xiong", "/subnets", "GET") {
t.Errorf("user xiong should not be able to view fetched subnets")
}
// marcin should be able to manage a machine as he belongs to the
// machine_managers
if !enforcePolicy("marcin", "/machines/1/os", "POST") {
t.Errorf("user marcin should be able to manage the machine elements")
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment