init filter support

lanlin · lanlin · commit 2a18200cfdca · 2018-06-28T18:05:46.000+08:00
1. unit tests for domain resource roles
2. unit tests for resource roles
3. init filter support

$filter = [];    // the filter for policy to load

$adapter = new AdapterFiltered(‘table_name’, $filter);

$god = new God(‘path_to_model.conf’, $adapter);
diff --git a/src/Model/Model.php b/src/Model/Model.php
@@ -26,22 +26,6 @@ class Model extends Policy
 
     // ------------------------------------------------------------------------------
 
-    /**
-     * @param Model  $model
-     * @param Config $cfg
-     * @param string $sec
-     * @param string $key
-     * @return bool
-     */
-    private function loadAssertion(Model $model, Config $cfg, string $sec, string $key) : bool
-    {
-        $value = $cfg->getString(Consts::SECTION_MAP[$sec] .Consts::CONFIG_SPLIT. $key);
-
-        return $model->addDef($sec, $key, $value);
-    }
-
-    // ------------------------------------------------------------------------------
-
     /**
      * addDef adds an assertion to the model.
      *
@@ -87,28 +71,6 @@ public function addDef(string $sec, string $key, string $value) : bool
 
     // ------------------------------------------------------------------------------
 
-    /**
-     * @param \God\Model\Model   $model
-     * @param \God\Config\Config $cfg
-     * @param string                          $sec
-     */
-    private function loadSection(Model $model, Config $cfg, string $sec) : void
-    {
-        $i = 1;
-
-        while (true)
-        {
-            $key  = $i === 1 ? $sec : $sec.$i;  // key, key1, key2...
-            $temp = $this->loadAssertion($model, $cfg, $sec, $key);
-
-            if (!$temp) { break; }
-
-            $i++;
-        }
-    }
-
-    // ------------------------------------------------------------------------------
-
     /**
      * loadModel loads the model from model CONF file.
      *
@@ -163,4 +125,42 @@ public function printModel() : void
 
     // ------------------------------------------------------------------------------
 
+    /**
+     * @param Model  $model
+     * @param Config $cfg
+     * @param string $sec
+     * @param string $key
+     * @return bool
+     */
+    private function loadAssertion(Model $model, Config $cfg, string $sec, string $key) : bool
+    {
+        $value = $cfg->getString(Consts::SECTION_MAP[$sec] .Consts::CONFIG_SPLIT. $key);
+
+        return $model->addDef($sec, $key, $value);
+    }
+
+    // ------------------------------------------------------------------------------
+
+    /**
+     * @param \God\Model\Model   $model
+     * @param \God\Config\Config $cfg
+     * @param string                          $sec
+     */
+    private function loadSection(Model $model, Config $cfg, string $sec) : void
+    {
+        $i = 1;
+
+        while (true)
+        {
+            $key  = $i === 1 ? $sec : $sec.$i;  // key, key1, key2...
+            $temp = $this->loadAssertion($model, $cfg, $sec, $key);
+
+            if (!$temp) { break; }
+
+            $i++;
+        }
+    }
+
+    // ------------------------------------------------------------------------------
+
 }
diff --git a/src/Persist/Adapter/File/AdapterFiltered.php b/src/Persist/Adapter/File/AdapterFiltered.php
@@ -20,20 +20,34 @@ class AdapterFiltered extends Adapter implements AdapterFilteredInterface
     // ------------------------------------------------------------------------------
 
     /**
+     * is filtered
+     *
      * @var bool
      */
     private $filtered = false;
 
     // ------------------------------------------------------------------------------
 
+    /**
+     * filter conditions
+     *
+     * @var mixed
+     */
+    private $filter = null;
+
+    // ------------------------------------------------------------------------------
+
     /**
      * AdapterFiltered constructor.
      *
      * @param string $filePath
+     * @param mixed $filter
      */
-    public function __construct(string $filePath)
+    public function __construct(string $filePath, $filter = null)
     {
         parent::__construct($filePath);
+
+        $this->filter = $filter;
     }
 
     // ------------------------------------------------------------------------------
@@ -59,7 +73,9 @@ public function loadPolicy(Model $model) : void
     {
         $this->filtered = false;
 
-        parent::loadPolicy($model);
+        empty($this->filter) ?
+        parent::loadPolicy($model) :
+        $this->loadFilteredPolicy($model, $this->filter);
     }
 
     // ------------------------------------------------------------------------------
diff --git a/src/Persist/Adapter/MongoDB/AdapterFiltered.php b/src/Persist/Adapter/MongoDB/AdapterFiltered.php
@@ -19,20 +19,34 @@ class AdapterFiltered extends Adapter implements AdapterFilteredInterface
     // ------------------------------------------------------------------------------
 
     /**
+     * is filtered
+     *
      * @var bool
      */
     private $filtered = false;
 
     // ------------------------------------------------------------------------------
 
+    /**
+     * filter conditions
+     *
+     * @var mixed
+     */
+    private $filter = null;
+
+    // ------------------------------------------------------------------------------
+
     /**
      * AdapterFiltered constructor.
      *
      * @param \MongoDB\Collection $collection
+     * @param mixed $filter
      */
-    public function __construct(\MongoDB\Collection $collection)
+    public function __construct(\MongoDB\Collection $collection, $filter = null)
     {
         parent::__construct($collection);
+
+        $this->filter = $filter;
     }
 
     // ------------------------------------------------------------------------------
@@ -58,7 +72,9 @@ public function loadPolicy(Model $model) : void
     {
         $this->filtered = false;
 
-        parent::loadPolicy($model);
+        empty($this->filter) ?
+        parent::loadPolicy($model) :
+        $this->loadFilteredPolicy($model, $this->filter);
     }
 
     // ------------------------------------------------------------------------------
diff --git a/src/Rbac/DefaultRoleManager.php b/src/Rbac/DefaultRoleManager.php
@@ -45,37 +45,6 @@ public function __construct(int $maxHierarchyLevel)
 
     // ------------------------------------------------------------------------------
 
-    /**
-     * @param string $name
-     * @return bool
-     */
-    private function hasRole(string $name) : bool
-    {
-        return isset($this->allRoles[$name]);
-    }
-
-    // ------------------------------------------------------------------------------
-
-    /**
-     * @param string $name
-     * @return \God\Rbac\DefaultRole
-     */
-    private function createRole(string $name) : DefaultRole
-    {
-        if ($this->hasRole($name))
-        {
-            return $this->allRoles[$name];
-        }
-
-        $role = new DefaultRole($name);
-
-        $this->allRoles[$name] = $role;
-
-        return $role;
-    }
-
-    // ------------------------------------------------------------------------------
-
     /**
      * clear clears all stored data and resets the role manager to the initial state.
      */
@@ -279,4 +248,35 @@ public function printRoles() : void
 
     // ------------------------------------------------------------------------------
 
+    /**
+     * @param string $name
+     * @return bool
+     */
+    private function hasRole(string $name) : bool
+    {
+        return isset($this->allRoles[$name]);
+    }
+
+    // ------------------------------------------------------------------------------
+
+    /**
+     * @param string $name
+     * @return \God\Rbac\DefaultRole
+     */
+    private function createRole(string $name) : DefaultRole
+    {
+        if ($this->hasRole($name))
+        {
+            return $this->allRoles[$name];
+        }
+
+        $role = new DefaultRole($name);
+
+        $this->allRoles[$name] = $role;
+
+        return $role;
+    }
+
+    // ------------------------------------------------------------------------------
+
 }
diff --git a/tests/Examples/rbac_with_domain_resource_roles_model.conf b/tests/Examples/rbac_with_domain_resource_roles_model.conf
@@ -0,0 +1,15 @@
+[request_definition]
+r = sub, dom, obj, act
+
+[policy_definition]
+p = sub, dom, obj, act
+
+[role_definition]
+g = _, _, _
+g2 = _, _
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = g(r.sub, p.sub, r.dom) && g2(r.obj, p.obj) && r.act == p.act
diff --git a/tests/Examples/rbac_with_domain_resource_roles_policy.csv b/tests/Examples/rbac_with_domain_resource_roles_policy.csv
@@ -0,0 +1,6 @@
+p, alice, domain1, data1, read
+p, bob, domain1, data2, write
+p, data_group_admin, domain1, data_group, write
+g, alice, data_group_admin, domain1
+g2, data1, data_group
+g2, data2, data_group
diff --git a/tests/Examples/rbac_with_resource_roles_policy.csv b/tests/Examples/rbac_with_resource_roles_policy.csv
@@ -3,4 +3,5 @@ p, bob, data2, write
 p, data_group_admin, data_group, write
 g, alice, data_group_admin
 g2, data1, data_group
-g2, data2, data_group
+g2, data2, data_group
+g2, data3, data_group
diff --git a/tests/RbacAPIWithDomainResourceRolesUnitTest.php b/tests/RbacAPIWithDomainResourceRolesUnitTest.php
@@ -0,0 +1,34 @@
+<?php namespace GodTests;
+
+use God\God;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * ------------------------------------------------------------------------------------
+ * God Test RBAC
+ * ------------------------------------------------------------------------------------
+ *
+ * @author lanlin
+ * @change 2018/06/28
+ */
+class RbacAPIWithDomainResourceRolesUnitTest extends TestCase
+{
+
+    // ------------------------------------------------------------------------------
+
+    public function testDomainResourceRoles()
+    {
+        $e = new God(
+            TestUtil::$path.'rbac_with_domain_resource_roles_model.conf',
+            TestUtil::$path.'rbac_with_domain_resource_roles_policy.csv'
+        );
+
+        TestUtil::testDomainEnforce($e, 'alice', 'domain1', 'data1', 'read', true);
+        TestUtil::testDomainEnforce($e, 'alice', 'domain1', 'data1', 'write', true);
+        TestUtil::testDomainEnforce($e, 'alice', 'domain1', 'data2', 'read', false);
+        TestUtil::testDomainEnforce($e, 'alice', 'domain1', 'data2', 'write', true);
+    }
+
+    // ------------------------------------------------------------------------------
+
+}
diff --git a/tests/RbacAPIWithResourceRolesUnitTest.php b/tests/RbacAPIWithResourceRolesUnitTest.php
@@ -0,0 +1,32 @@
+<?php namespace GodTests;
+
+use God\God;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * ------------------------------------------------------------------------------------
+ * God Test RBAC
+ * ------------------------------------------------------------------------------------
+ *
+ * @author lanlin
+ * @change 2018/06/28
+ */
+class RbacAPIWithResourceRolesUnitTest extends TestCase
+{
+
+    // ------------------------------------------------------------------------------
+
+    public function testResourceRoles()
+    {
+        $e = new God(TestUtil::$path.'rbac_with_resource_roles_model.conf', TestUtil::$path.'rbac_with_resource_roles_policy.csv');
+
+        TestUtil::testEnforce($e, 'alice', 'data1', 'read', true);
+        TestUtil::testEnforce($e, 'alice', 'data1', 'write', true);
+        TestUtil::testEnforce($e, 'alice', 'data2', 'read', false);
+        TestUtil::testEnforce($e, 'alice', 'data2', 'write', true);
+        TestUtil::testEnforce($e, 'alice', 'data3', 'write', true);
+    }
+
+    // ------------------------------------------------------------------------------
+
+}
