对casbin进行了部分测试

包含acl、rbac、abac和使用mysql存储策略等再往后需要再做一些测试学习一下配置文件也就是模型和策略的写法，然后实现一个demo

go.mod

@@ -3,12 +3,22 @@ module github.com/peifengll/tests
 go 1.20
 
 require (
+	github.com/casbin/casbin/v2 v2.77.2
+	github.com/casbin/gorm-adapter/v2 v2.1.0
+	github.com/go-sql-driver/mysql v1.7.1
 	google.golang.org/grpc v1.59.0
 	google.golang.org/protobuf v1.31.0
 )
 
 require (
+	github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/jinzhu/gorm v1.9.12 // indirect
+	github.com/jinzhu/inflection v1.0.0 // indirect
+	github.com/lib/pq v1.1.1 // indirect
+	github.com/tidwall/gjson v1.14.4 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.0 // indirect
 	golang.org/x/net v0.14.0 // indirect
 	golang.org/x/sys v0.11.0 // indirect
 	golang.org/x/text v0.12.0 // indirect

go.sum

@@ -1,15 +1,70 @@
+github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible h1:1G1pk05UrOh0NlF1oeaaix1x8XzrfjIDK47TY0Zehcw=
+github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
+github.com/casbin/casbin/v2 v2.2.2/go.mod h1:XXtYGrs/0zlOsJMeRteEdVi/FsB0ph7KgNfjoCoJUD8=
+github.com/casbin/casbin/v2 v2.77.2 h1:yQinn/w9x8AswiwqwtrXz93VU48R1aYTXdHEx4RI3jM=
+github.com/casbin/casbin/v2 v2.77.2/go.mod h1:mzGx0hYW9/ksOSpw3wNjk3NRAroq5VMFYUQ6G43iGPk=
+github.com/casbin/gorm-adapter/v2 v2.1.0 h1:wBimcRJ4V/Dq5o95OIBzeM6vvxNfjzCV235biWoSO4I=
+github.com/casbin/gorm-adapter/v2 v2.1.0/go.mod h1:Sy5LYivXiUVRvPZFasa6puLle0RaxNpV2TJ7yzlQkZc=
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/denisenkom/go-mssqldb v0.0.0-20191124224453-732737034ffd h1:83Wprp6ROGeiHFAP8WJdI2RoxALQYgdllERc3N5N2DM=
+github.com/denisenkom/go-mssqldb v0.0.0-20191124224453-732737034ffd/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
+github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 h1:Yzb9+7DPaBjB8zlTR87/ElzFsnQfuHnVUVqpZZIcV5Y=
+github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0=
+github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
+github.com/go-sql-driver/mysql v1.7.1 h1:lUIinVbN1DY0xBg0eMOzmmtGoHwWBbvnWubQUrtU8EI=
+github.com/go-sql-driver/mysql v1.7.1/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
+github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY=
+github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
+github.com/golang/mock v1.4.4 h1:l75CXGRSwbaYNpl/Z2X1XIIAMSCquvXgpVZDhwEIJsc=
+github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/jinzhu/gorm v1.9.12 h1:Drgk1clyWT9t9ERbzHza6Mj/8FY/CqMyVzOiHviMo6Q=
+github.com/jinzhu/gorm v1.9.12/go.mod h1:vhTjlKSJUTWNtcbQtrMBFCxy7eXTzeCAzfL5fBZT/Qs=
+github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
+github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
+github.com/jinzhu/now v1.0.1 h1:HjfetcXq097iXP0uoPCdnM4Efp5/9MsM0/M+XOTeR3M=
+github.com/jinzhu/now v1.0.1/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
+github.com/lib/pq v1.1.1 h1:sJZmqHoEaY7f+NPP8pgLB/WxulyR3fewgCM2qaSlBb4=
+github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
+github.com/mattn/go-sqlite3 v2.0.1+incompatible h1:xQ15muvnzGBHpIpdrNi1DA5x0+TcBZzsIDwmw9uTHzw=
+github.com/mattn/go-sqlite3 v2.0.1+incompatible/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/tidwall/gjson v1.14.4 h1:uo0p8EbA09J7RQaflQ1aBRffTR7xedD2bcIVSYxLnkM=
+github.com/tidwall/gjson v1.14.4/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
+github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
+github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191205180655-e7c4368fe9dd/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
 golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
 golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d h1:uvYuEyMHKNt+lT4K3bN6fGswmK8qSvcreM3BwjDh+y4=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M=
 google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk=

testgasbin/1.acl/main.go

@@ -0,0 +1,46 @@
+package main
+
+import (
+	"fmt"
+	"github.com/casbin/casbin/v2"
+	"log"
+)
+
+//ACL（access-control-list，访问控制列表）。ACL显示定义了每个主体对每个资源的权
+//限情况， 未定义的就没有权限。我们还可以加上超级管理员，超级管理员可以进行任何操作。假设超级管理员为root，
+//我们只需要修改匹配器：
+
+func check(e *casbin.Enforcer, sub, obj, act string) {
+	ok, _ := e.Enforce(sub, obj, act)
+	if ok {
+		fmt.Printf("%s CAN %s %s \n", sub, act, obj)
+	} else {
+		fmt.Printf("%s CANNOT %s %s \n", sub, act, obj)
+	}
+}
+
+func main() {
+	e, err := casbin.NewEnforcer("./model.conf", "./policy.csv")
+	if err != nil {
+		log.Fatalf("NewEnforecer failed:%v \n", err)
+	}
+	//checker1(e)
+	checker2(e)
+
+}
+
+// 测试多个人
+func checker1(e *casbin.Enforcer) {
+	check(e, "dajun", "data1", "read")
+	check(e, "lizi", "data2", "write")
+	check(e, "dajun", "data1", "write")
+	check(e, "dajun", "data2", "read")
+}
+
+// 测试root
+func checker2(e *casbin.Enforcer) {
+	check(e, "root", "data1", "read")
+	check(e, "root", "data2", "write")
+	check(e, "root", "data1", "execute")
+	check(e, "root", "data2", "rwx")
+}

testgasbin/1.acl/model.conf

@@ -0,0 +1,11 @@
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act
+
+[matchers]
+m = r.sub == p.sub && r.obj == p.obj && r.act == p.act ||r.sub=="root"
+
+[policy_effect]
+e = some(where (p.eft == allow))

testgasbin/1.acl/policy.csv

@@ -0,0 +1,2 @@
+p, dajun, data1, read
+p, lizi, data2, write

testgasbin/2.rbac/main.go

@@ -0,0 +1,30 @@
+package main
+
+import (
+	"fmt"
+	"github.com/casbin/casbin/v2"
+	"log"
+)
+
+func check(e *casbin.Enforcer, sub, obj, act string) {
+	ok, _ := e.Enforce(sub, obj, act)
+	if ok {
+		fmt.Printf("%s CAN %s %s\n", sub, act, obj)
+	} else {
+		fmt.Printf("%s CANNOT %s %s\n", sub, act, obj)
+	}
+}
+
+func main() {
+	e, err := casbin.NewEnforcer("./model.conf", "./policy.csv")
+	if err != nil {
+		log.Fatalf("NewEnforecer failed:%v\n", err)
+	}
+	checker1(e)
+}
+func checker1(e *casbin.Enforcer) {
+	check(e, "dajun", "data", "read")
+	check(e, "dajun", "data", "write")
+	check(e, "lizi", "data", "read")
+	check(e, "lizi", "data", "write")
+}

testgasbin/2.rbac/model.conf

@@ -0,0 +1,17 @@
+[role_definition]
+g = _,_
+
+
+[matchers]
+m= g ( r.sub,p.sub) && r.obj == p.obj &&r.act ==p.act
+
+
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act
+
+
+[policy_effect]
+e = some(where (p.eft == allow))

testgasbin/2.rbac/policy.csv

@@ -0,0 +1,6 @@
+p, admin, data, read
+p, admin, data, write
+p, developer, data, read
+g, dajun, admin
+g, lizi, developer
+

testgasbin/3.rbac2/main.go

@@ -0,0 +1,31 @@
+package main
+
+import (
+	"fmt"
+	"github.com/casbin/casbin/v2"
+	"log"
+)
+
+func check(e *casbin.Enforcer, sub, obj, act string) {
+	ok, _ := e.Enforce(sub, obj, act)
+	if ok {
+		fmt.Printf("%s CAN %s %s\n", sub, act, obj)
+	} else {
+		fmt.Printf("%s CANNOT %s %s\n", sub, act, obj)
+	}
+}
+
+func main() {
+	e, err := casbin.NewEnforcer("./model.conf", "./policy.csv")
+	if err != nil {
+		log.Fatalf("NewEnforecer failed:%v\n", err)
+	}
+	checker1(e)
+}
+func checker1(e *casbin.Enforcer) {
+	check(e, "dajun", "prod.data", "read")
+	check(e, "dajun", "prod.data", "write")
+	check(e, "lizi", "dev.data", "read")
+	check(e, "lizi", "dev.data", "write")
+	check(e, "lizi", "prod.data", "write")
+}

testgasbin/3.rbac2/model.conf

@@ -0,0 +1,18 @@
+[role_definition]
+g = _,_
+g2=_,_
+
+[matchers]
+m = g(r.sub, p.sub) && g2(r.obj, p.obj) && r.act == p.act
+#m= g ( r.sub,p.sub) && r.obj == p.obj &&r.act ==p.act
+
+
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act
+
+
+[policy_effect]
+e = some(where (p.eft == allow))

testgasbin/3.rbac2/policy.csv

@@ -0,0 +1,11 @@
+p, admin, prod, read
+p, admin, prod, write
+p, admin, dev, read
+p, admin, dev, write
+p, developer, dev, read
+p, developer, dev, write
+p, developer, prod, read
+g, dajun, admin
+g, lizi, developer
+g2, prod.data, prod
+g2, dev.data, dev

testgasbin/3.rbac2/多个RBAC，用户资源都有角色.txt

@@ -0,0 +1,38 @@
+多个RBAC
+casbin支持同时存在多个RBAC系统，即用户和资源都有角色：
+
+[role_definition]
+g=_,_
+g2=_,_
+
+[matchers]
+m = g(r.sub, p.sub) && g2(r.obj, p.obj) && r.act == p.act
+上面的模型文件定义了两个RBAC系统g和g2，我们在匹配器中使用g(r.sub, p.sub)判断请求主体属于特定组，g2(r.obj, p.obj)判断请求资源属于特定组，且操作一致即可放行。
+
+策略文件:
+
+p, admin, prod, read
+p, admin, prod, write
+p, admin, dev, read
+p, admin, dev, write
+p, developer, dev, read
+p, developer, dev, write
+p, developer, prod, read
+g, dajun, admin
+g, lizi, developer
+g2, prod.data, prod
+g2, dev.data, dev
+先看角色关系，即最后 4 行，dajun属于admin角色，lizi属于developer角色，prod.data属于生产资源prod角色，dev.data属于开发资源dev角色。admin角色拥有对prod和dev类资源的读写权限，developer只能拥有对dev的读写权限和prod的读权限。
+
+check(e, "dajun", "prod.data", "read")
+check(e, "dajun", "prod.data", "write")
+check(e, "lizi", "dev.data", "read")
+check(e, "lizi", "dev.data", "write")
+check(e, "lizi", "prod.data", "write")
+第一个函数中e.Enforce()方法在实际执行的时候先获取dajun所属角色admin，再获取prod.data所属角色prod，根据文件中第一行p, admin, prod, read允许请求。最后一个函数中lizi属于角色developer，而prod.data属于角色prod，所有策略都不允许，故该请求被拒绝：
+
+dajun CAN read prod.data
+dajun CAN write prod.data
+lizi CAN read dev.data
+lizi CAN write dev.data
+lizi CANNOT write prod.data

testgasbin/4.rbac3/main.go

@@ -0,0 +1,30 @@
+package main
+
+import (
+	"fmt"
+	"github.com/casbin/casbin/v2"
+	"log"
+)
+
+func check(e *casbin.Enforcer, sub, obj, act string) {
+	ok, _ := e.Enforce(sub, obj, act)
+	if ok {
+		fmt.Printf("%s CAN %s %s\n", sub, act, obj)
+	} else {
+		fmt.Printf("%s CANNOT %s %s\n", sub, act, obj)
+	}
+}
+
+func main() {
+	e, err := casbin.NewEnforcer("./model.conf", "./policy.csv")
+	if err != nil {
+		log.Fatalf("NewEnforecer failed:%v\n", err)
+	}
+	checker1(e)
+}
+func checker1(e *casbin.Enforcer) {
+	check(e, "dajun", "data", "read")
+	check(e, "dajun", "data", "write")
+	check(e, "lizi", "data", "read")
+	check(e, "lizi", "data", "write")
+}

testgasbin/4.rbac3/model.conf

@@ -0,0 +1,18 @@
+[role_definition]
+g = _,_
+g2=_,_
+
+[matchers]
+m = g(r.sub, p.sub) && g2(r.obj, p.obj) && r.act == p.act
+#m= g ( r.sub,p.sub) && r.obj == p.obj &&r.act ==p.act
+
+
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act
+
+
+[policy_effect]
+e = some(where (p.eft == allow))

testgasbin/4.rbac3/policy.csv

@@ -0,0 +1,5 @@
+p, senior, data, write
+p, developer, data, read
+g, dajun, senior
+g, senior, developer
+g, lizi, developer

testgasbin/4.rbac3/多层角色.txt

@@ -0,0 +1,16 @@
+多层角色
+casbin还能为角色定义所属角色，从而实现多层角色关系，这种权限关系是可以传递的。例如dajun属于高级开发者senior，seinor属于开发者，那么dajun也属于开发者，拥有开发者的所有权限。我们可以定义开发者共有的权限，然后额外为senior定义一些特殊的权限。
+
+模型文件不用修改，策略文件改动如下：
+
+p, senior, data, write
+p, developer, data, read
+g, dajun, senior
+g, senior, developer
+g, lizi, developer
+上面policy.csv文件定义了高级开发者senior对数据data有write权限，普通开发者developer对数据只有read权限。同时senior也是developer，所以senior也继承其read权限。dajun属于senior，所以dajun对data有read和write权限，而lizi只属于developer，对数据data只有read权限。
+
+check(e, "dajun", "data", "read")
+check(e, "dajun", "data", "write")
+check(e, "lizi", "data", "read")
+check(e, "lizi", "data", "write")