feat: subject priority

casbin/core_enforcer.py

@@ -189,6 +189,8 @@ def load_policy(self):
 
             self.adapter.load_policy(new_model)
 
+            self.model.sort_policies_by_subject_hierarchy()
+
             new_model.sort_policies_by_priority()
 
             self.init_rm_map()

casbin/model/model.py

@@ -2,6 +2,9 @@
 from casbin import util, config
 from .policy import Policy
 
+DEFAULT_DOMAIN = ""
+DEFAULT_SEPARATOR = "::"
+
 
 class Model(Policy):
 
@@ -99,6 +102,78 @@ def sort_policies_by_priority(self):
 
         return None
 
+    def sort_policies_by_subject_hierarchy(self):
+        if self["e"]["e"].value != "subjectPriority(p_eft) || deny":
+            return
+
+        sub_index = 0
+        domain_index = -1
+        for ptype, assertion in self["p"].items():
+            for index, token in enumerate(assertion.tokens):
+                if token == "{}_dom".format(ptype):
+                    domain_index = index
+                    break
+
+            subject_hierarchy_map = self.get_subject_hierarchy_map(
+                self["g"]["g"].policy
+            )
+
+            def compare_policy(policy):
+                domain = DEFAULT_DOMAIN
+                if domain_index != -1:
+                    domain = policy[domain_index]
+                name = self.get_name_with_domain(domain, policy[sub_index])
+                return subject_hierarchy_map[name]
+
+            assertion.policy = sorted(
+                assertion.policy, key=compare_policy, reverse=True
+            )
+            for i, policy in enumerate(assertion.policy):
+                assertion.policy_map[",".join(policy)] = i
+
+    def get_subject_hierarchy_map(self, policies):
+        subject_hierarchy_map = {}
+        # Tree structure of role
+        policy_map = {}
+        for policy in policies:
+            if len(policy) < 2:
+                raise RuntimeError("policy g expect 2 more params")
+            domain = DEFAULT_DOMAIN
+            if len(policy) != 2:
+                domain = policy[2]
+            child = self.get_name_with_domain(domain, policy[0])
+            parent = self.get_name_with_domain(domain, policy[1])
+            if parent not in policy_map.keys():
+                policy_map[parent] = [child]
+            else:
+                policy_map[parent].append(child)
+            if child not in subject_hierarchy_map.keys():
+                subject_hierarchy_map[child] = 0
+            if parent not in subject_hierarchy_map.keys():
+                subject_hierarchy_map[parent] = 0
+            subject_hierarchy_map[child] = 1
+        # Use queues for levelOrder
+        queue = []
+        for k, v in subject_hierarchy_map.items():
+            root = k
+            if v != 0:
+                continue
+            lv = 0
+            queue.append(root)
+            while len(queue) != 0:
+                sz = len(queue)
+                for _ in range(sz):
+                    node = queue.pop(0)
+                    subject_hierarchy_map[node] = lv
+                    if node in policy_map.keys():
+                        for child in policy_map[node]:
+                            queue.append(child)
+                lv += 1
+        return subject_hierarchy_map
+
+    def get_name_with_domain(self, domain, name):
+        return "{}{}{}".format(domain, DEFAULT_SEPARATOR, name)
+
     def to_text(self):
         s = []
 

examples/subject_priority_model.conf

@@ -0,0 +1,14 @@
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act, eft
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = subjectPriority(p.eft) || deny
+
+[matchers]
+m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

examples/subject_priority_model_with_domain.conf

@@ -0,0 +1,14 @@
+[request_definition]
+r = sub, obj, dom, act
+
+[policy_definition]
+p = sub, obj, dom, act, eft
+
+[role_definition]
+g = _, _, _
+
+[policy_effect]
+e = subjectPriority(p.eft) || deny
+
+[matchers]
+m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && r.obj == p.obj && r.act == p.act

examples/subject_priority_policy.csv

@@ -0,0 +1,16 @@
+p, root, data1, read, deny
+p, admin, data1, read, deny
+
+p, editor, data1, read, deny
+p, subscriber, data1, read, deny
+
+p, jane, data1, read, allow
+p, alice, data1, read, allow
+
+g, admin, root
+
+g, editor, admin
+g, subscriber, admin
+
+g, jane, editor
+g, alice, subscriber

examples/subject_priority_policy_with_domain.csv

@@ -0,0 +1,7 @@
+p, admin, data1, domain1, write, deny
+p, alice, data1, domain1, write, allow
+p, admin, data2, domain2, write, deny
+p, bob, data2, domain2, write, allow
+
+g, alice, admin, domain1
+g, bob, admin, domain2

tests/test_enforcer.py

@@ -198,6 +198,22 @@ def test_enforce_priority_indeterminate(self):
         )
         self.assertFalse(e.enforce("alice", "data1", "read"))
 
+    def test_enforce_subpriority(self):
+        e = self.get_enforcer(
+            get_examples("subject_priority_model.conf"),
+            get_examples("subject_priority_policy.csv"),
+        )
+        self.assertTrue(e.enforce("jane", "data1", "read"))
+        self.assertTrue(e.enforce("alice", "data1", "read"))
+
+    def test_enforce_subpriority_with_domain(self):
+        e = self.get_enforcer(
+            get_examples("subject_priority_model_with_domain.conf"),
+            get_examples("subject_priority_policy_with_domain.csv"),
+        )
+        self.assertTrue(e.enforce("alice", "data1", "domain1", "write"))
+        self.assertTrue(e.enforce("bob", "data2", "domain2", "write"))
+
     def test_multiple_policy_definitions(self):
 
         e = self.get_enforcer(