feat: Support multiple policy definitions (p, p2) (#518)

Author: hsluoyz

examples/multiple_policy_definitions_model.conf

@@ -0,0 +1,19 @@
+[request_definition]
+r = sub, obj, act
+r2 = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act
+p2= sub_rule, obj, act, eft
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+#RABC
+m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
+#ABAC
+m2 = eval(p2.sub_rule) && r2.obj == p2.obj && r2.act == p2.act

examples/multiple_policy_definitions_policy.csv

@@ -0,0 +1,5 @@
+p, data2_admin, data2, read
+p2, r2.sub.Age > 18 && r2.sub.Age < 60, /data1, read, allow
+p2, r2.sub.Age > 60 && r2.sub.Age < 100, /data1, read, deny
+
+g, alice, data2_admin

examples/rbac_with_multiple_policy_model.conf

@@ -0,0 +1,17 @@
+[request_definition]
+r = user, thing, action
+
+[policy_definition]
+p = role, thing, action
+p2 = role, action
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = g(r.user, p.role) && r.thing == p.thing && r.action == p.action
+m2 = g(r.user, p2.role) && r.action == p.action
+
+[role_definition]
+g = _,_
+g2 = _,_

examples/rbac_with_multiple_policy_policy.csv

@@ -0,0 +1,9 @@
+p, user, /data, GET
+p, admin, /data, POST
+
+p2, user, view
+p2, admin, create
+
+g, admin, user
+g, alice, admin
+g2, alice, user

src/coreEnforcer.ts

@@ -479,7 +479,7 @@ export class CoreEnforcer {
 
     const effectStream = this.eft.newStream(effectExpr);
 
-    if (policyLen && policyLen !== 0) {
+    if (policyLen && policyLen !== 0 && expString.includes(`${enforceContext.pType}_`)) {
       for (let i = 0; i < policyLen; i++) {
         const parameters: { [key: string]: any } = {};
 

test/multiplePolicyDefinitions.test.ts

@@ -0,0 +1,28 @@
+// Copyright 2018 The Casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { newEnforcer, newEnforceContext } from '../src';
+
+test('TestMultiplePolicyDefinitions', async () => {
+  const e = await newEnforcer('examples/multiple_policy_definitions_model.conf', 'examples/multiple_policy_definitions_policy.csv');
+  const enforceContext = newEnforceContext('2');
+  enforceContext.eType = 'e';
+
+  // Test with default context (r, p, e, m)
+  await expect(e.enforce('alice', 'data2', 'read')).resolves.toBe(true);
+
+  // Test with EnforceContext for r2, p2, e, m2
+  await expect(e.enforce(enforceContext, { Age: 70 }, '/data1', 'read')).resolves.toBe(false);
+  await expect(e.enforce(enforceContext, { Age: 30 }, '/data1', 'read')).resolves.toBe(true);
+});

test/rbacAPI.test.ts

@@ -202,3 +202,20 @@ test('test getImplicitUsersForRole', async () => {
   expect(await e.getImplicitUsersForRole('admin')).toEqual(['alice']);
   expect(await e.getImplicitUsersForRole('data1_admin')).toEqual(['admin', 'alice']);
 });
+
+test('test rbac with multiple policy definitions', async () => {
+  const e = await newEnforcer('examples/rbac_with_multiple_policy_model.conf', 'examples/rbac_with_multiple_policy_policy.csv');
+
+  // Test getting named policies for different policy types
+  const pPolicies = await e.getNamedPolicy('p');
+  expect(pPolicies).toEqual([
+    ['user', '/data', 'GET'],
+    ['admin', '/data', 'POST'],
+  ]);
+
+  const p2Policies = await e.getNamedPolicy('p2');
+  expect(p2Policies).toEqual([
+    ['user', 'view'],
+    ['admin', 'create'],
+  ]);
+});