Fix getImplicitPermissionsForUser to support wildcard domains in role hierarchies

Copilot · mserico · Copilot · commit 24c7c876ed4a · 2025-12-08T17:19:45.000Z
Co-authored-by: mserico &lt;140243407+mserico@users.noreply.github.com&gt;
diff --git a/examples/rbac_with_hierarchy_with_wildcard_domain_model.conf b/examples/rbac_with_hierarchy_with_wildcard_domain_model.conf
@@ -0,0 +1,14 @@
+[request_definition]
+r = sub, obj, act, dom
+
+[policy_definition]
+p = sub, obj, act, dom
+
+[role_definition]
+g = _, _, _
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = (g(r.sub, p.sub, r.dom) || g(r.sub, p.sub, '*')) && (p.dom == '*' || r.dom == p.dom) && r.obj == p.obj && r.act == p.act
diff --git a/examples/rbac_with_hierarchy_with_wildcard_domain_policy.csv b/examples/rbac_with_hierarchy_with_wildcard_domain_policy.csv
@@ -0,0 +1,20 @@
+p, abstract_role1, devis, read, *
+p, abstract_role1, devis, create, *
+p, abstract_role2, devis, read, *
+p, abstract_role2, organization, read, *
+p, abstract_role2, organization, write, *
+
+g, role1, abstract_role1, tenant1
+g, role1, abstract_role1, tenant2
+g, role1, abstract_role1, tenant3
+g, role2, abstract_role2, tenant1
+g, role2, abstract_role2, tenant2
+g, role2, abstract_role2, tenant3
+g, super_user, abstract_role2, *
+
+g, michael, role1, tenant1
+g, antoine, role1, tenant2
+g, kevin, role1, tenant3
+g, thomas, role2, tenant1
+g, lucie, role2, tenant3
+g, theo, super_user, *
diff --git a/src/enforcer.ts b/src/enforcer.ts
@@ -305,13 +305,25 @@ export class Enforcer extends ManagementEnforcer {
     let n: string | undefined;
     while ((n = q.shift()) !== undefined) {
       for (const rm of this.rmMap.values()) {
+        // Get roles for the specified domain
         const role = await rm.getRoles(n, ...domain);
         role.forEach((r) => {
           if (!res.has(r)) {
             res.add(r);
             q.push(r);
           }
         });
+        
+        // Also check for roles with wildcard domain if a specific domain was provided
+        if (domain && domain.length > 0 && domain[0] !== '*') {
+          const wildcardRoles = await rm.getRoles(n, '*');
+          wildcardRoles.forEach((r) => {
+            if (!res.has(r)) {
+              res.add(r);
+              q.push(r);
+            }
+          });
+        }
       }
     }
 
@@ -337,7 +349,23 @@ export class Enforcer extends ManagementEnforcer {
 
     for (const n of roles) {
       if (withDomain) {
-        const p = await this.getFilteredPolicy(0, n, ...domain);
+        // Get all policies for this role/user (filter by subject only)
+        const allPolicies = await this.getFilteredPolicy(0, n);
+        
+        // Get the domain field index from the model
+        const domainIndex = this.model.getFieldIndex('p', FieldIndex.Domain);
+        
+        // Filter policies to match the requested domain or wildcard domain
+        const p = allPolicies.filter((policy) => {
+          if (domainIndex === -1) {
+            // No domain field in policy, use old behavior
+            return domain.every((d, i) => policy[i + 1] === d);
+          }
+          // Check if policy domain matches requested domain or is wildcard
+          const policyDomain = policy[domainIndex];
+          return policyDomain === domain[0] || policyDomain === '*';
+        });
+        
         res.push(...p);
       } else {
         const p = await this.getPermissionsForUser(n);
diff --git a/test/rbacAPI.test.ts b/test/rbacAPI.test.ts
@@ -219,3 +219,32 @@ test('test rbac with multiple policy definitions', async () => {
     ['admin', 'create'],
   ]);
 });
+
+test('test getImplicitPermissionsForUser with role hierarchy and wildcard domain', async () => {
+  const e = await newEnforcer(
+    'examples/rbac_with_hierarchy_with_wildcard_domain_model.conf',
+    'examples/rbac_with_hierarchy_with_wildcard_domain_policy.csv'
+  );
+
+  // Test user 'michael' who has role1 in tenant1
+  // role1 inherits from abstract_role1 in tenant1
+  // abstract_role1 has permissions with wildcard domain '*'
+  const michaelPerms = await e.getImplicitPermissionsForUser('michael', 'tenant1');
+  expect(michaelPerms).toContainEqual(['abstract_role1', 'devis', 'read', '*']);
+  expect(michaelPerms).toContainEqual(['abstract_role1', 'devis', 'create', '*']);
+
+  // Test user 'thomas' who has role2 in tenant1
+  // role2 inherits from abstract_role2 in tenant1
+  // abstract_role2 has multiple permissions with wildcard domain '*'
+  const thomasPerms = await e.getImplicitPermissionsForUser('thomas', 'tenant1');
+  expect(thomasPerms).toContainEqual(['abstract_role2', 'devis', 'read', '*']);
+  expect(thomasPerms).toContainEqual(['abstract_role2', 'organization', 'read', '*']);
+  expect(thomasPerms).toContainEqual(['abstract_role2', 'organization', 'write', '*']);
+
+  // Test user 'theo' who has super_user role with wildcard domain
+  // super_user inherits from abstract_role2 with wildcard domain '*'
+  const theoPerms = await e.getImplicitPermissionsForUser('theo', 'any_tenant');
+  expect(theoPerms).toContainEqual(['abstract_role2', 'devis', 'read', '*']);
+  expect(theoPerms).toContainEqual(['abstract_role2', 'organization', 'read', '*']);
+  expect(theoPerms).toContainEqual(['abstract_role2', 'organization', 'write', '*']);
+});
