casbin: [Bug] Implicit role doesn't work in go-lang lib but work in casbin editor

Want to prioritize this issue? Try:

issuehunt-to-marktext

Describe the bug We are using RBAC with domain model to do authorization. And using group policy to extend one role to another.

In the casbin editor below we can see that can_manage extends can_use role in all domain, and user with can_manage role can also perform can_use action like attach.

https://editor.casbin.org/#DQV237WAL

image

But same logic doesn’t work in casbin go-lang lib even latest version v2.64.0

To Reproduce Code example

package main

import (
	"log"

	"github.com/casbin/casbin/v2"
	casbinModel "github.com/casbin/casbin/v2/model"
)

const (
	modelText = `
[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
#RBAC
m = g(r.sub, p.sub, r.dom) && keyMatch(r.dom, p.dom) && keyMatch(r.obj, p.obj) && regexMatch(r.act, p.act) 
`
)

func main() {

	m, err := casbinModel.NewModelFromString(modelText)
	if err != nil {
		panic(err)
	}
	e, err := casbin.NewSyncedEnforcer(m)
	if err != nil {
		panic(err)
	}

	e.AddPolicy("can_manage", "engines/*", "*", "(pause)|(resume)")
	e.AddPolicy("can_use", "engines/*", "*", "(attach)|(detach)")

	e.AddGroupingPolicy("can_manage", "can_use", "*")
	e.AddGroupingPolicy("Username==test2", "can_manage", "engines/engine1")

	implicitRoles, _ := e.GetImplicitRolesForUser("Username==test2", "engines/engine1")
	log.Println(implicitRoles)
        // can_manage

	ok, _, _ := e.EnforceEx("Username==test2", "engines/engine1", "*", "attach")
	log.Println(ok)
        // false
}

Expected behavior implicitRoles should be can_manage and can_use and ok should be true

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • OS: [e.g. iOS]
  • Browser [e.g. chrome, safari]
  • Version [e.g. 22]

Smartphone (please complete the following information):

  • Device: [e.g. iPhone6]
  • OS: [e.g. iOS8.1]
  • Browser [e.g. stock browser, safari]
  • Version [e.g. 22]

Additional context Add any other context about the problem here.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 15 (7 by maintainers)

Most upvoted comments

@longsunli Thank you for your feedback!

It seems that currently casbin(go) believes that domain “*” and domain “engines/engine1” do not contain relationships, which causes this problem.

If you change the domain "*" to the domain "engines/engine1", the result is exactly as expected image

image

I plan to identify the cause and fix it in the coming days

+3
PokIsemaine on Mar 3, 2023
Read more comments on GitHub
← intellij-haskforce: Intellij freezes after opening any haskell file
casbin-cpp: [doc] Benchmark data about casbin-cpp in `casbin.org` maybe wrong. →