def test_delete_permission_for_user(self):
e = get_enforcer(get_examples("basic_without_resources_model.conf"),
get_examples("basic_without_resources_policy.csv"))
e.add_permission_for_user('bob', 'read')
self.assertTrue(e.enforce('bob', 'read'))
e.delete_permission_for_user('bob', 'read')
self.assertFalse(e.enforce('bob', 'read'))
self.assertTrue(e.enforce('bob', 'write'))
def test_filtered_policy_invalid_filter(self):
adapter = casbin.persist.adapters.FilteredAdapter(
get_examples("rbac_with_domains_policy.csv"))
e = casbin.Enforcer(get_examples("rbac_with_domains_model.conf"),
adapter)
filter = ["", "domain1"]
with self.assertRaises(RuntimeError):
e.load_filtered_policy(filter)
def test_benchmark_rbac_model(self):
e = get_enforcer(get_examples("rbac_model.conf"), get_examples("rbac_policy.csv"))
time = 10000
start = datetime.datetime.now()
for i in range(0, time):
e.enforce("alice", "data2", "read")
end = datetime.datetime.now()
print_time_diff(start, end, time)
def test_delete_role_for_user(self):
e = get_enforcer(get_examples("rbac_model.conf"),
get_examples("rbac_policy.csv"))
e.add_role_for_user('alice', 'data1_admin')
self.assertEqual(e.get_roles_for_user('alice'),
['data2_admin', 'data1_admin'])
e.delete_role_for_user('alice', 'data1_admin')
self.assertEqual(e.get_roles_for_user('alice'), ['data2_admin'])
def test_has_permission_for_user(self):
e = self.get_enforcer(
get_examples("basic_without_resources_model.conf"),
get_examples("basic_without_resources_policy.csv"),
)
self.assertTrue(e.has_permission_for_user("alice", *["read"]))
self.assertFalse(e.has_permission_for_user("alice", *["write"]))
self.assertFalse(e.has_permission_for_user("bob", *["read"]))
self.assertTrue(e.has_permission_for_user("bob", *["write"]))
def test_add_permission_for_user(self):
e = self.get_enforcer(
get_examples("basic_without_resources_model.conf"),
get_examples("basic_without_resources_policy.csv"),
)
e.delete_permission("read")
e.add_permission_for_user("bob", "read")
self.assertTrue(e.enforce("bob", "read"))
self.assertTrue(e.enforce("bob", "write"))
def test_unsupported_filtered_policy(self):
e = casbin.Enforcer(
get_examples("rbac_with_domains_model.conf"),
get_examples("rbac_with_domains_policy.csv"),
)
filter = Filter()
filter.P = ["", "domain1"]
filter.G = ["", "", "domain1"]
with self.assertRaises(ValueError):
e.load_filtered_policy(filter)
def test_modify_policy_api(self):
e = self.get_enforcer(
get_examples("rbac_model.conf"),
get_examples("rbac_policy.csv"),
# True,
)
self.assertEqual(e.get_policy(), [
['alice', 'data1', 'read'],
['bob', 'data2', 'write'],
['data2_admin', 'data2', 'read'],
['data2_admin', 'data2', 'write'],
])
e.add_policy('eve', 'data3', 'read')
e.add_named_policy('p', ['eve', 'data3', 'write'])
self.assertEqual(e.get_policy(), [
['alice', 'data1', 'read'],
['bob', 'data2', 'write'],
['data2_admin', 'data2', 'read'],
['data2_admin', 'data2', 'write'],
['eve', 'data3', 'read'],
['eve', 'data3', 'write'],
])
rules = [['jack', 'data4', 'read'], ['katy', 'data4', 'write'],
['leyo', 'data4', 'read'], ['ham', 'data4', 'write']]
named_policies = [['jack', 'data4',
'write'], ['katy', 'data4', 'read'],
['leyo', 'data4', 'write'], ['ham', 'data4', 'read']]
e.add_policies(rules)
e.add_named_policies('p', named_policies)
self.assertEqual(
e.get_policy(),
[['alice', 'data1', 'read'], ['bob', 'data2', 'write'],
['data2_admin', 'data2', 'read'], [
'data2_admin', 'data2', 'write'
], ['eve', 'data3', 'read'], ['eve', 'data3', 'write'],
["jack", "data4", "read"], ["katy", "data4", "write"],
["leyo", "data4", "read"], ["ham", "data4", "write"],
['jack', 'data4', 'write'], ['katy', 'data4', 'read'],
['leyo', 'data4', 'write'], ['ham', 'data4', 'read']])
e.remove_policies(rules)
e.remove_named_policies('p', named_policies)
self.assertEqual(e.get_policy(), [
['alice', 'data1', 'read'],
['bob', 'data2', 'write'],
['data2_admin', 'data2', 'read'],
['data2_admin', 'data2', 'write'],
['eve', 'data3', 'read'],
['eve', 'data3', 'write'],
])
def test_get_list(self):
e = self.get_enforcer(
get_examples("rbac_model.conf"),
get_examples("rbac_policy.csv"),
# True,
)
self.assertEqual(e.get_all_subjects(), ["alice", "bob", "data2_admin"])
self.assertEqual(e.get_all_objects(), ["data1", "data2"])
self.assertEqual(e.get_all_actions(), ["read", "write"])
self.assertEqual(e.get_all_roles(), ["data2_admin"])
def test_get_list(self):
e = self.get_enforcer(
get_examples("rbac_model.conf"),
get_examples("rbac_policy.csv"),
# True,
)
self.assertEqual(e.get_all_subjects(), ['alice', 'bob', 'data2_admin'])
self.assertEqual(e.get_all_objects(), ['data1', 'data2'])
self.assertEqual(e.get_all_actions(), ['read', 'write'])
self.assertEqual(e.get_all_roles(), ['data2_admin'])
def test_delete_role_for_user(self):
e = self.get_enforcer(get_examples("rbac_model.conf"),
get_examples("rbac_policy.csv"))
e.add_role_for_user("alice", "data1_admin")
self.assertEqual(
sorted(e.get_roles_for_user("alice")),
sorted(["data2_admin", "data1_admin"]),
)
e.delete_role_for_user("alice", "data1_admin")
self.assertEqual(e.get_roles_for_user("alice"), ["data2_admin"])
def test_enforce_implicit_roles_with_domain(self):
e = self.get_enforcer(
get_examples("rbac_with_domains_model.conf"),
get_examples("rbac_with_hierarchy_with_domains_policy.csv"))
self.assertTrue(
e.get_roles_for_user_in_domain('alice', 'domain1') ==
['role:global_admin'])
self.assertTrue(
e.get_implicit_roles_for_user('alice', 'domain1') ==
["role:global_admin", "role:reader", "role:writer"])
def test_delete_role(self):
e = self.get_enforcer(get_examples("rbac_model.conf"),
get_examples("rbac_policy.csv"))
e.delete_role('data2_admin')
self.assertTrue(e.enforce('alice', 'data1', 'read'))
self.assertFalse(e.enforce('alice', 'data1', 'write'))
self.assertFalse(e.enforce('alice', 'data2', 'read'))
self.assertFalse(e.enforce('alice', 'data2', 'write'))
self.assertFalse(e.enforce('bob', 'data1', 'read'))
self.assertFalse(e.enforce('bob', 'data1', 'write'))
self.assertFalse(e.enforce('bob', 'data2', 'read'))
self.assertTrue(e.enforce('bob', 'data2', 'write'))
def test_delete_role(self):
e = self.get_enforcer(get_examples("rbac_model.conf"),
get_examples("rbac_policy.csv"))
e.delete_role("data2_admin")
self.assertTrue(e.enforce("alice", "data1", "read"))
self.assertFalse(e.enforce("alice", "data1", "write"))
self.assertFalse(e.enforce("alice", "data2", "read"))
self.assertFalse(e.enforce("alice", "data2", "write"))
self.assertFalse(e.enforce("bob", "data1", "read"))
self.assertFalse(e.enforce("bob", "data1", "write"))
self.assertFalse(e.enforce("bob", "data2", "read"))
self.assertTrue(e.enforce("bob", "data2", "write"))
def test_implicit_user_api(self):
e = self.get_enforcer(get_examples("rbac_model.conf"),
get_examples("rbac_with_hierarchy_policy.csv"))
self.assertEqual(["alice"],
e.get_implicit_users_for_permission("data1", "read"))
self.assertEqual(["alice"],
e.get_implicit_users_for_permission("data1", "write"))
self.assertEqual(["alice"],
e.get_implicit_users_for_permission("data2", "read"))
self.assertEqual(["alice", "bob"],
e.get_implicit_users_for_permission("data2", "write"))
def test_enforce_implicit_roles_with_domain(self):
e = self.get_enforcer(
get_examples("rbac_with_domains_model.conf"),
get_examples("rbac_with_hierarchy_with_domains_policy.csv"),
)
self.assertEqual(e.get_roles_for_user_in_domain("alice", "domain1"),
["role:global_admin"])
self.assertEqual(
sorted(e.get_implicit_roles_for_user("alice", "domain1")),
sorted(["role:global_admin", "role:reader", "role:writer"]),
)
def test_update_policies(self):
m = Model()
m.load_model(get_examples("basic_model.conf"))
old_rules = [
["admin", "domain1", "data1", "read"],
["admin", "domain1", "data2", "read"],
["admin", "domain1", "data3", "read"],
]
new_rules = [
["admin", "domain1", "data4", "read"],
["admin", "domain1", "data5", "read"],
["admin", "domain1", "data6", "read"],
]
m.add_policies("p", "p", old_rules)
for old_rule in old_rules:
self.assertTrue(m.has_policy("p", "p", old_rule))
m.update_policies("p", "p", old_rules, new_rules)
for old_rule in old_rules:
self.assertFalse(m.has_policy("p", "p", old_rule))
for new_rule in new_rules:
self.assertTrue(m.has_policy("p", "p", new_rule))
m = Model()
m.load_model(get_examples("priority_model_explicit.conf"))
old_rules = [
["1", "admin", "data1", "read", "allow"],
["1", "admin", "data2", "read", "allow"],
["1", "admin", "data3", "read", "allow"],
]
new_rules = [
["1", "admin", "data4", "read", "allow"],
["1", "admin", "data5", "read", "allow"],
["1", "admin", "data6", "read", "allow"],
]
m.add_policies("p", "p", old_rules)
for old_rule in old_rules:
self.assertTrue(m.has_policy("p", "p", old_rule))
m.update_policies("p", "p", old_rules, new_rules)
for old_rule in old_rules:
self.assertFalse(m.has_policy("p", "p", old_rule))
for new_rule in new_rules:
self.assertTrue(m.has_policy("p", "p", new_rule))
def test_enforce_implicit_roles_api(self):
e = self.get_enforcer(get_examples("rbac_model.conf"),
get_examples("rbac_with_hierarchy_policy.csv"))
self.assertTrue(
e.get_permissions_for_user('alice') == [["alice", "data1", "read"]
])
self.assertTrue(
e.get_permissions_for_user('bob') == [["bob", "data2", "write"]])
self.assertTrue(
e.get_implicit_roles_for_user('alice') ==
['admin', 'data1_admin', 'data2_admin'])
self.assertTrue(e.get_implicit_roles_for_user('bob') == [])
def test_get_policy_multiple_matching_functions(self):
e = self.get_enforcer(
get_examples("rbac_with_domain_and_policy_pattern_model.conf"),
get_examples("rbac_with_domain_and_policy_pattern_policy.csv"),
)
self.assertEqual(
e.get_policy(),
[
["admin", "domain.*", "data1", "read"],
["user", "domain.*", "data3", "read"],
["user", "domain.1", "data2", "read"],
["user", "domain.1", "data2", "write"],
],
)
km2_fn = casbin.util.key_match2_func
self.assertEqual(
sorted(
e.get_filtered_policy(1, partial(km2_fn, "domain.2"),
lambda a: "data" in a)),
sorted([
["admin", "domain.*", "data1", "read"],
["user", "domain.*", "data3", "read"],
]),
)
self.assertEqual(
sorted(
e.get_filtered_policy(1, partial(km2_fn, "domain.1"),
lambda a: "data" in a, "read")),
sorted([
["admin", "domain.*", "data1", "read"],
["user", "domain.1", "data2", "read"],
["user", "domain.*", "data3", "read"],
]),
)
self.assertEqual(
sorted(
e.get_filtered_policy(1, partial(km2_fn, "domain.1"), "",
"reading".startswith)),
sorted([
["admin", "domain.*", "data1", "read"],
["user", "domain.1", "data2", "read"],
["user", "domain.*", "data3", "read"],
]),
)
def test_filtered_adapter_empty_filepath(self):
adapter = casbin.persist.adapters.FilteredAdapter("")
e = casbin.Enforcer(get_examples("rbac_with_domains_model.conf"),
adapter)
with self.assertRaises(RuntimeError):
e.load_filtered_policy(None)
def test_update_filtered_policies(self):
e = casbin.Enforcer(
get_examples("rbac_model.conf"),
get_examples("rbac_policy.csv"),
)
e.update_filtered_policies(
[
["data2_admin", "data3", "read"],
["data2_admin", "data3", "write"],
],
0,
"data2_admin",
)
self.assertTrue(e.enforce("data2_admin", "data3", "write"))
self.assertTrue(e.enforce("data2_admin", "data3", "read"))
def test_has_policy(self):
m = Model()
m.load_model(get_examples("basic_model.conf"))
rule = ["admin", "domain1", "data1", "read"]
m.add_policy("p", "p", rule)
self.assertTrue(m.has_policy("p", "p", rule))
def test_get_policy_matching_function(self):
e = self.get_enforcer(
get_examples("rbac_with_domain_and_policy_pattern_model.conf"),
get_examples("rbac_with_domain_and_policy_pattern_policy.csv"),
)
self.assertEqual(
e.get_policy(),
[
["admin", "domain.*", "data1", "read"],
["user", "domain.*", "data3", "read"],
["user", "domain.1", "data2", "read"],
["user", "domain.1", "data2", "write"],
],
)
km2_fn = casbin.util.key_match2_func
self.assertEqual(
e.get_filtered_grouping_policy(2, partial(km2_fn, "domain.3")),
[["alice", "user", "*"], ["bob", "admin", "domain.3"]],
)
self.assertEqual(
e.get_filtered_grouping_policy(2, partial(km2_fn, "domain.1")),
[["alice", "user", "*"]],
)
# first and second p record matches to domain.3
self.assertEqual(
e.get_filtered_policy(1, partial(km2_fn, "domain.3")),
[
["admin", "domain.*", "data1", "read"],
["user", "domain.*", "data3", "read"],
],
)
self.assertEqual(
sorted(
e.get_filtered_policy(1, partial(km2_fn, "domain.1"), "",
"read")),
sorted([
["admin", "domain.*", "data1", "read"],
["user", "domain.1", "data2", "read"],
["user", "domain.*", "data3", "read"],
]),
)
def test_has_policy(self):
m = Model()
m.load_model(get_examples("basic_model.conf"))
rule = ['admin', 'domain1', 'data1', 'read']
m.add_policy('p', 'p', rule)
self.assertTrue(m.has_policy('p', 'p', rule))
def test_get_policy_api(self):
e = self.get_enforcer(
get_examples("rbac_model.conf"),
get_examples("rbac_policy.csv"),
)
self.assertEqual(e.get_policy(), [
['alice', 'data1', 'read'],
['bob', 'data2', 'write'],
['data2_admin', 'data2', 'read'],
['data2_admin', 'data2', 'write'],
])
self.assertEqual(e.get_filtered_policy(0, 'alice'), [['alice', 'data1', 'read']])
self.assertEqual(e.get_filtered_policy(0, 'bob'), [['bob', 'data2', 'write']])
self.assertEqual(e.get_filtered_policy(0, 'data2_admin'),
[['data2_admin', 'data2', 'read'], ['data2_admin', 'data2', 'write']])
self.assertEqual(e.get_filtered_policy(1, 'data1'), [['alice', 'data1', 'read']])
self.assertEqual(e.get_filtered_policy(1, 'data2'),
[['bob', 'data2', 'write'], ['data2_admin', 'data2', 'read'],
['data2_admin', 'data2', 'write']])
self.assertEqual(e.get_filtered_policy(2, 'read'),
[['alice', 'data1', 'read'], ['data2_admin', 'data2', 'read']])
self.assertEqual(e.get_filtered_policy(2, 'write'),
[['bob', 'data2', 'write'], ['data2_admin', 'data2', 'write']])
self.assertEqual(e.get_filtered_policy(0, 'data2_admin', 'data2'),
[['data2_admin', 'data2', 'read'], ['data2_admin', 'data2', 'write']])
# Note: "" (empty string) in fieldValues means matching all values.
self.assertEqual(e.get_filtered_policy(0, 'data2_admin', '', 'read'), [['data2_admin', 'data2', 'read']])
self.assertEqual(e.get_filtered_policy(1, 'data2', 'write'),
[['bob', 'data2', 'write'], ['data2_admin', 'data2', 'write']])
self.assertTrue(e.has_policy(['alice', 'data1', 'read']))
self.assertTrue(e.has_policy(['bob', 'data2', 'write']))
self.assertFalse(e.has_policy(['alice', 'data2', 'read']))
self.assertFalse(e.has_policy(['bob', 'data3', 'write']))
self.assertEqual(e.get_grouping_policy(), [['alice', 'data2_admin']])
self.assertEqual(e.get_filtered_grouping_policy(0, 'alice'), [['alice', 'data2_admin']])
self.assertEqual(e.get_filtered_grouping_policy(0, 'bob'), [])
self.assertEqual(e.get_filtered_grouping_policy(1, 'data1_admin'), [])
self.assertEqual(e.get_filtered_grouping_policy(1, 'data2_admin'), [['alice', 'data2_admin']])
# Note: "" (empty string) in fieldValues means matching all values.
self.assertEqual(e.get_filtered_grouping_policy(0, '', 'data2_admin'), [['alice', 'data2_admin']])
self.assertTrue(e.has_grouping_policy(['alice', 'data2_admin']))
self.assertFalse(e.has_grouping_policy(['bob', 'data2_admin']))
def test_casbin_js_get_permission_for_user(self):
e = casbin.SyncedEnforcer(
get_examples("rbac_model.conf"),
get_examples("rbac_with_hierarchy_policy.csv"),
)
received = json.loads(casbin.casbin_js_get_permission_for_user(e, "alice"))
with open(get_examples("rbac_model.conf"), "r") as file:
expected_model_str = file.read()
self.assertEqual(received["m"], re.sub("\n+", "\n", expected_model_str))
with open(get_examples("rbac_with_hierarchy_policy.csv"), "r") as file:
expected_policies_str = file.read()
expected_policy_item = re.split(r",|\n", expected_policies_str)
i = 0
for s_arr in received["p"]:
for s in s_arr:
self.assertEqual(s.strip(), expected_policy_item[i].strip())
i += 1
def test_domain_match_model(self):
e = self.get_enforcer(
get_examples("rbac_with_domain_pattern_model.conf"),
get_examples("rbac_with_domain_pattern_policy.csv"),
)
e.get_role_manager().add_domain_matching_func(
casbin.util.key_match2_func)
self.assertTrue(e.enforce("alice", "domain1", "data1", "read"))
self.assertTrue(e.enforce("alice", "domain1", "data1", "write"))
self.assertFalse(e.enforce("alice", "domain1", "data2", "read"))
self.assertFalse(e.enforce("alice", "domain1", "data2", "write"))
self.assertTrue(e.enforce("alice", "domain2", "data2", "read"))
self.assertTrue(e.enforce("alice", "domain2", "data2", "write"))
self.assertFalse(e.enforce("bob", "domain2", "data1", "read"))
self.assertFalse(e.enforce("bob", "domain2", "data1", "write"))
self.assertTrue(e.enforce("bob", "domain2", "data2", "read"))
self.assertTrue(e.enforce("bob", "domain2", "data2", "write"))
def test_enforce_implicit_permissions_api_with_domain(self):
e = self.get_enforcer(
get_examples("rbac_with_domains_model.conf"),
get_examples("rbac_with_hierarchy_with_domains_policy.csv"))
self.assertTrue(
e.get_roles_for_user_in_domain('alice', 'domain1') ==
['role:global_admin'])
self.assertTrue(
e.get_implicit_roles_for_user('alice', 'domain1') ==
['role:global_admin', 'role:reader', 'role:writer'])
self.assertTrue(
e.get_implicit_permissions_for_user('alice', 'domain1') ==
[['alice', 'domain1', 'data2', 'read'],
["role:reader", "domain1", "data1", "read"],
["role:writer", "domain1", "data1", "write"]])
self.assertTrue(
e.get_implicit_permissions_for_user('bob', 'domain1') == [])
def test_filtered_policy_empty_filter(self):
adapter = casbin.persist.adapters.FilteredAdapter(
get_examples("rbac_with_domains_policy.csv"))
e = casbin.Enforcer(get_examples("rbac_with_domains_model.conf"),
adapter)
try:
e.load_filtered_policy(None)
except:
raise RuntimeError("unexpected error in LoadFilteredPolicy")
if e.is_filtered():
raise RuntimeError(
"adapter did not reset the filtered flag correctly")
try:
e.save_policy()
except:
raise RuntimeError("unexpected error in SavePolicy")
def test_enforce_get_roles_with_domain(self):
e = self.get_enforcer(
get_examples("rbac_with_domains_model.conf"),
get_examples("rbac_with_domains_policy.csv"),
)
self.assertEqual(e.get_roles_for_user_in_domain("alice", "domain1"),
["admin"])
self.assertEqual(e.get_roles_for_user_in_domain("bob", "domain1"), [])
self.assertEqual(e.get_roles_for_user_in_domain("admin", "domain1"),
[])
self.assertEqual(
e.get_roles_for_user_in_domain("non_exist", "domain1"), [])
self.assertEqual(e.get_roles_for_user_in_domain("alice", "domain2"),
[])
self.assertEqual(e.get_roles_for_user_in_domain("bob", "domain2"),
["admin"])
self.assertEqual(e.get_roles_for_user_in_domain("admin", "domain2"),
[])
self.assertEqual(
e.get_roles_for_user_in_domain("non_exist", "domain2"), [])
e.delete_roles_for_user_in_domain("alice", "admin", "domain1")
e.add_role_for_user_in_domain("bob", "admin", "domain1")
self.assertEqual(e.get_roles_for_user_in_domain("alice", "domain1"),
[])
self.assertEqual(e.get_roles_for_user_in_domain("bob", "domain1"),
["admin"])
self.assertEqual(e.get_roles_for_user_in_domain("admin", "domain1"),
[])
self.assertEqual(
e.get_roles_for_user_in_domain("non_exist", "domain1"), [])
self.assertEqual(e.get_roles_for_user_in_domain("alice", "domain2"),
[])
self.assertEqual(e.get_roles_for_user_in_domain("bob", "domain2"),
["admin"])
self.assertEqual(e.get_roles_for_user_in_domain("admin", "domain2"),
[])
self.assertEqual(
e.get_roles_for_user_in_domain("non_exist", "domain2"), [])