Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Using RBAC w/ Domain pattern matching can lead to unexpected results #351

Closed
imf-code opened this issue Apr 24, 2024 · 2 comments · Fixed by #352
Closed

Using RBAC w/ Domain pattern matching can lead to unexpected results #351

imf-code opened this issue Apr 24, 2024 · 2 comments · Fixed by #352
Assignees
@hsluoyz
Labels
bug Something isn't working released

Comments

@imf-code
Copy link
Contributor

Building role links when domain matching function is set seems to result in some faulty links being created that can lead to unintended/unexpected privileges being granted.

Model:

# The exact model is not important, as the problem seems to lie in resolving g(r.sub, p.sub, r.dom)
[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.obj == p.obj && r.act == p.act && g(r.sub, p.sub, r.dom)

Policy:

p, book-reader, *, book, read
g, bob, car-driver, *
g, alice, book-reader, library

Result:

var enforcer = new Enforcer(@"f:\temp\casbin\model.conf", @"f:\temp\casbin\policy.csv",
            new EnforcerOptions() { AutoBuildRoleLinks = false });
enforcer.AddDomainMatchingFunc(BuiltInFunctions.KeyMatch);
enforcer.BuildRoleLinks();

enforcer.Enforce("alice", "school", "book", "read"); // => true (!?)

For reference, the online editor returns false as would seem logical: https://editor.casbin.org/#6AJX758PB

As far as I understand, the issue lies in the AddLink method of DefaultRoleManager.
What happens when the role links are built step-by-step:

  1. '*' is added to the list of domains
  2. 'bob' and 'car-driver' are added as roles in the '*' domain and linked as expected
  3. 'library' is pattern matched to previously added domains and '*' is found
  4. 'alice' and 'book-reader' are added as roles and linked in the '*' domain (!?)
  5. 'alice' and 'book-reader' are added as roles and linked in the 'library' doimain as expected
  6. Since 'school' matches '*' and 'alice' now has 'book-reader' in '*' then: alice, school, book, read => true

The current implementation also results in inconsistent linking based on the order roles are assigned:

If we swap the two role assignments:

p, book-reader, *, book, read
g, alice, book-reader, library
g, bob, car-driver, *

What happens:

  1. 'library' is added to domains
  2. 'alice' and 'book-reader' are added and linked in 'library' domain
  3. ' ´*' doesn't match 'library' and therefore 'bob' and 'car-driver' are only added and linked in '*'
  4. Result: alice, school, book, read => false
@casbin-bot
Copy link
Member

@sagilio @sociometry @AsakusaRinne

@casbin-bot casbin-bot added the question Further information is requested label Apr 24, 2024
@imf-code imf-code mentioned this issue Apr 24, 2024
Merged
@imf-code
Copy link
Contributor Author

My attempt at tackling the issue #352

@hsluoyz hsluoyz added bug Something isn't working and removed question Further information is requested labels Apr 27, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@hsluoyz hsluoyz

Labels
bug Something isn't working released
Projects
Casbin Easy Tasks for Beginners/Student Applicants
Status: Casbin.NET Easy Tasks
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: fix different ways of building role links when domain patterns are enabled imf-code/Casbin.NET
4 participants
@hsluoyz @sagilio @imf-code @casbin-bot