go-Casbin使用

本次测试代码是基于单租户的RBAC鉴权

依赖

github.com/casbin/casbin/v2
github.com/casbin/gorm-adapter/v2

文件存储规则文件

model.pml

[request_definition]
r = sub, obj, act[policy_definition]
p = sub, obj, act[role_definition]
g = _, _         # 用户,角色[policy_effect]
e = some(where (p.eft == allow))[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

policy.csv

p, admin, /user, write
p, admin, /user, read
p, admin, /order, write
p, admin, /order, read
p, admin, /user, put
p, systemManager, /user/userlist, read
p, systemManager, /order/orderlist, read
g, demo, admin
g, demo1, admin
g, kongdy, admin
g, kongdy, systemManager

这里是基于单租户RBAC的鉴权模式

p 开头的为 policy

g 开头的为用户-角色

model.pml文件中matchers字段：请求 r 的 sub 与 g 的用户匹配，匹配到后，减少匹配到的角色中，是否有同时匹配 obj 和 act

可以嵌套角色，默认最多可嵌套10层，但需要注意用户与角色不要存在相同值，否则会拥有该重名角色的权限

p, userManager, /user, write
p, userManager, /user, read
p, userManager, /user, put
p, orderManager, /order, write
p, orderManager, /order, read
p, userManager, /user/userlist, read
p, orderManager, /order/orderlist, readg, admin, userManager
g, admin, orderManager
g, manage, userManagerg, demo, admin
g, demo1, manage

这里可以理解为

demo用户拥有admin角色权限，admin角色继承userManager和orderManager角色，即同时拥有这两个角色的访问控制

demo1用户拥有userManager角色

也可以理解为

demo用户拥有admin角色权限，admin角色继承userManager和orderManager角色，即同时拥有这两个角色的访问控制

demo1用户拥有userManager角色

admin用户拥有userManager、orderManager两个角色

manage拥有userManager角色

理解以上policy后，也就明白了为什么用户名要与角色名称不要重叠的原因

main.go

package mainimport ("fmt""github.com/casbin/casbin/v2"
)func main() {e, err := casbin.NewEnforcer("./model.pml", "./policy.csv")if err != nil {fmt.Println("出错啦", err)return}//基本权限设置CheckPermi(e, "demo", "/user", "read")     //CheckPermi(e, "demo", "/user", "put")CheckPermi(e, "demo", "/user", "write")CheckPermi(e, "demo", "/order", "read")CheckPermi(e, "demo", "/order", "write")CheckPermi(e, "demo", "/user/userlist", "read")CheckPermi(e, "demo", "/user/userlist", "write")CheckPermi(e, "demo", "/order/orderlist", "read")CheckPermi(e, "demo", "/order/orderlist", "write")CheckPermi(e, "demo1", "/user", "read")CheckPermi(e, "demo1", "/user", "write")CheckPermi(e, "demo1", "/user", "put")CheckPermi(e, "demo1", "/order", "read")CheckPermi(e, "demo1", "/order", "write")CheckPermi(e, "demo1", "/user/userlist", "read")CheckPermi(e, "demo1", "/user/userlist", "write")CheckPermi(e, "demo1", "/order/orderlist", "read")CheckPermi(e, "demo1", "/order/orderlist", "write")CheckPermi(e, "admin", "/user", "read")CheckPermi(e, "admin", "/user", "write")CheckPermi(e, "admin", "/user", "put")CheckPermi(e, "admin", "/order", "read")CheckPermi(e, "admin", "/order", "write")CheckPermi(e, "admin", "/user/userlist", "read")CheckPermi(e, "admin", "/user/userlist", "write")CheckPermi(e, "admin", "/order/orderlist", "read")CheckPermi(e, "admin", "/order/orderlist", "write")}func CheckPermi(e *casbin.Enforcer, sub, obj, act string) {ok, err := e.Enforce(sub, obj, act)if err != nil {return}if ok == true {fmt.Printf("%s CAN %s %s\n", sub, act, obj)} else {fmt.Printf("%s CANNOT %s %s\n", sub, act, obj)}
}

常用操作

增加用户角色

e.AddRoleForUser("kongdy", "systemManager")
e.SavePolicy()e.AddRolesForUser("demo1", []string{"systemManager", "admin"})
e.SavePolicy()

增加鉴权规则

e.AddPolicy("admin", "/user", "put")
e.SavePolicy()

删除角色（会将所有拥有该角色的记录均删除）

e.DeleteRole("systemManager")
e.SavePolicy()

基于gorm的权限控制

上面的示例基于文件存储来实现的，当数量上去后，管理起来非常不方便，下面采用数据库来存储数据

import ("fmt""github.com/casbin/casbin/v2"gormadapter "github.com/casbin/gorm-adapter/v2"   // 版本注意与casbin保持一致_ "github.com/go-sql-driver/mysql""github.com/jinzhu/gorm"
)// 统一响应结构体
type Response struct {Code    int         `json:"code"`Message string      `json:"message"`Data    interface{} `json:"data"`
}var Db *gorm.DB
var PO *gormadapter.Adapter
var Enforcer *casbin.Enforcer// 数据库连接及角色规则的初始化，会检查并自动创建 casbin_rule 表
func connect() {dsn := "root:root@(127.0.0.1:3306)/gin_study?charset=utf8&parseTime=True&loc=Local"var err errorDb, err = gorm.Open("mysql", dsn)if err != nil {fmt.Println("connect DB error")panic(err)}// 将数据库连接同步给插件， 插件用来操作数据库PO, _ = gormadapter.NewAdapterByDB(Db)// 这里也可以使用原生字符串方式//Enforcer, _ = casbin.NewEnforcer("model.pml", PO)// 开启权限认证日志// Enforcer.EnableLog(true)// 加载数据库中的策略err = Enforcer.LoadPolicy()if err != nil {fmt.Println("loadPolicy error")panic(err)}
}func main() {connect()//基本权限设置CheckPermi(Enforcer, "demo", "/user", "read")CheckPermi(Enforcer, "demo", "/user", "put")CheckPermi(Enforcer, "demo", "/user", "write")CheckPermi(Enforcer, "demo", "/order", "read")CheckPermi(Enforcer, "demo", "/order", "write")CheckPermi(Enforcer, "demo", "/user/userlist", "read")CheckPermi(Enforcer, "demo", "/user/userlist", "write")CheckPermi(Enforcer, "demo", "/order/orderlist", "read")CheckPermi(Enforcer, "demo", "/order/orderlist", "write")
}func CheckPermi(e *casbin.Enforcer, sub, obj, act string) {res, err := e.Enforce(sub, obj, act)if err != nil {fmt.Printf("出错啦:e=%+v\n, err = %+v\n", e, err)return}if res == true {fmt.Printf("%s CAN %s %s\n", sub, act, obj)} else {fmt.Printf("%s CANNOT %s %s\n", sub, act, obj)}
}

中间件

// casbin middleware 权限认证中间件
func CasbinMiddleWare(enforcer *casbin.Enforcer) gin.HandlerFunc {return func(c *gin.Context) {userName := c.GetHeader("userName")if userName == "" {fmt.Println("headers invalid")c.JSON(200, gin.H{"code":    401,"message": "Unauthorized","data":    "",})c.Abort()return}// 请求的pathp := c.Request.URL.Path// 请求的方法m := c.Request.Method// 这里认证res, err := enforcer.Enforce(userName, p, m)// 这个 HasPermissionForUser 跟上面的有什么区别// EnforceSafe 会验证角色的相关的权限// 而 HasPermissionForUser 只验证用户是否有权限//res = Enforcer.HasPermissionForUser(userName,p,m)if err != nil {fmt.Println("no permission ")fmt.Println(err)c.JSON(200, gin.H{"code":    401,"message": "Unauthorized","data":    "",})c.Abort()return}if !res {fmt.Println("permission check failed")c.JSON(200, gin.H{"code":    401,"message": "Unauthorized","data":    "",})c.Abort()return}c.Next()}
}