feat: add casbin model

Author: BryanttV

openedx_authz/apps.py

@@ -11,3 +11,4 @@ class OpenedxAuthzConfig(AppConfig):
     """
 
     name = "openedx_authz"
+    plugin_app = {}

openedx_authz/management/__init__.py

@@ -0,0 +1,205 @@
+"""
+Django management command for testing Casbin enforcement policies.
+
+This command creates a Casbin enforcer from model.conf and policy.csv files,
+then tests enforcement for each request in request.txt.
+"""
+
+import os
+
+import casbin
+from django.core.management.base import BaseCommand, CommandError
+
+
+class Command(BaseCommand):
+    """
+    Test Casbin enforcement policies using model.conf, policy.csv, and request.txt
+    """
+
+    help = (
+        "Test Casbin enforcement policies using model.conf, policy.csv, and request.txt. "
+        "Supports interactive mode for custom testing."
+    )
+
+    def add_arguments(self, parser) -> None:
+        """Add the arguments to the parser."""
+        parser.add_argument(
+            "--model-file",
+            type=str,
+            default="model.conf",
+            help="Path to the Casbin model configuration file (default: model.conf)",
+        )
+        parser.add_argument(
+            "--policy-file",
+            type=str,
+            default="policy.csv",
+            help="Path to the policy CSV file (default: policy.csv)",
+        )
+        parser.add_argument(
+            "--request-file",
+            type=str,
+            default="request.txt",
+            help="Path to the request test file (default: request.txt)",
+        )
+        parser.add_argument(
+            "--interactive",
+            action="store_true",
+            help="Run in interactive mode for testing custom enforcement requests",
+        )
+
+    def handle(self, *args, **options):
+        """Handle the command."""
+        model_file = self.get_file_path(options["model_file"])
+        policy_file = self.get_file_path(options["policy_file"])
+        interactive_mode = options.get("interactive", False)
+
+        if not os.path.isfile(model_file):
+            raise CommandError(f"Model file not found: {model_file}")
+        if not os.path.isfile(policy_file):
+            raise CommandError(f"Policy file not found: {policy_file}")
+
+        if not interactive_mode:
+            request_file = self.get_file_path(options["request_file"])
+            if not os.path.isfile(request_file):
+                raise CommandError(f"Request file not found: {request_file}")
+
+        self.stdout.write(self.style.SUCCESS("=== Casbin Enforcement Testing ==="))
+        self.stdout.write(f"Model file: {model_file}")
+        self.stdout.write(f"Policy file: {policy_file}")
+        if interactive_mode:
+            self.stdout.write("Mode: Interactive")
+        else:
+            request_file = self.get_file_path(options["request_file"])
+            self.stdout.write(f"Request file: {request_file}")
+        self.stdout.write("")
+
+        try:
+            enforcer = casbin.Enforcer(model_file, policy_file)
+            self.stdout.write(self.style.SUCCESS("✓ Casbin enforcer created successfully"))
+
+            policies = enforcer.get_policy()
+            roles = enforcer.get_grouping_policy()
+            role_inheritance = enforcer.get_named_grouping_policy("g2")
+
+            self.stdout.write(f"✓ Loaded {len(policies)} policies")
+            self.stdout.write(f"✓ Loaded {len(roles)} role assignments")
+            self.stdout.write(f"✓ Loaded {len(role_inheritance)} action inheritance rules")
+            self.stdout.write("")
+
+            if interactive_mode:
+                self._run_interactive_mode(enforcer)
+            else:
+                request_file = self.get_file_path(options["request_file"])
+                self._process_requests(enforcer, request_file)
+
+        except Exception as e:
+            raise CommandError(f"Error creating Casbin enforcer: {str(e)}") from e
+
+    def get_file_path(self, file_name: str) -> str:
+        """Get the file path for the given file name."""
+        return os.path.join(os.path.dirname(__file__), file_name)
+
+    def _process_requests(self, enforcer: casbin.Enforcer, request_file: str) -> None:
+        """Process each request in the request file and test enforcement."""
+        self.stdout.write(self.style.SUCCESS("=== Processing Enforcement Requests ==="))
+
+        total_requests = 0
+        passed_requests = 0
+        failed_requests = 0
+
+        with open(request_file, "r") as file:
+            for line_num, line in enumerate(file, 1):
+                line = line.strip()
+
+                # Skip empty lines and comments
+                if not line or line.startswith("#"):
+                    continue
+
+                total_requests += 1
+
+                try:
+                    # Parse request line: subject, action, object, scope, expected_result
+                    parts = [part.strip() for part in line.split(",")]
+                    if len(parts) != 5:
+                        self.stdout.write(
+                            self.style.ERROR(f"Line {line_num}: Invalid format - expected 5 parts, got {len(parts)}")
+                        )
+                        failed_requests += 1
+                        continue
+
+                    subject, action, obj, scope, expected_str = parts
+                    expected_result = expected_str.lower() == "true"
+
+                    actual_result = enforcer.enforce(subject, action, obj, scope)
+
+                    if actual_result == expected_result:
+                        status = self.style.SUCCESS("✓ PASS")
+                        passed_requests += 1
+                    else:
+                        status = self.style.ERROR("✗ FAIL")
+                        failed_requests += 1
+
+                    self.stdout.write(
+                        f"{status} Line {line_num:2d}: {subject}, {action}, {obj}, {scope} "
+                        f"-> Expected: {expected_result}, Got: {actual_result}"
+                    )
+
+                except (ValueError, IndexError) as e:
+                    self.stdout.write(self.style.ERROR(f"Line {line_num}: Error processing request - {str(e)}"))
+                    failed_requests += 1
+
+        self.stdout.write("")
+        self.stdout.write(self.style.SUCCESS("=== Enforcement Test Summary ==="))
+        self.stdout.write(f"Total requests: {total_requests}")
+        self.stdout.write(self.style.SUCCESS(f"Passed: {passed_requests}"))
+        if failed_requests > 0:
+            self.stdout.write(self.style.ERROR(f"Failed: {failed_requests}"))
+        else:
+            self.stdout.write(f"Failed: {failed_requests}")
+
+        success_rate = (passed_requests / total_requests * 100) if total_requests > 0 else 0
+        self.stdout.write(f"Success rate: {success_rate:.1f}%")
+
+        if failed_requests == 0:
+            self.stdout.write(self.style.SUCCESS("All tests passed!"))
+        else:
+            self.stdout.write(self.style.WARNING(f"⚠️ {failed_requests} test(s) failed"))
+
+    def _run_interactive_mode(self, enforcer: casbin.Enforcer) -> None:
+        """Run interactive mode for testing custom enforcement requests."""
+        self.stdout.write(self.style.SUCCESS("=== Interactive Mode ==="))
+        self.stdout.write("Test custom enforcement requests interactively.")
+        self.stdout.write("Format: subject action object scope")
+        self.stdout.write("Example: user:alice act:read lib:test-lib org:OpenedX")
+        self.stdout.write("Special commands: help, policies, users, quit")
+        self.stdout.write("")
+
+        while True:
+            try:
+                user_input = input("Enter enforcement test (or command): ").strip()
+                if not user_input:
+                    continue
+                self._test_interactive_request(enforcer, user_input)
+            except (KeyboardInterrupt, EOFError):
+                break
+
+    def _test_interactive_request(self, enforcer: casbin.Enforcer, user_input: str) -> None:
+        """Test a single enforcement request from interactive input."""
+        try:
+            parts = [part.strip() for part in user_input.split()]
+            if len(parts) != 4:
+                self.stdout.write(self.style.ERROR(f"✗ Invalid format. Expected 4 parts, got {len(parts)}"))
+                self.stdout.write("   Format: subject action object scope")
+                self.stdout.write("   Example: user:alice act:read lib:test-lib org:OpenedX")
+                return
+
+            subject, action, obj, scope = parts
+            result = enforcer.enforce(subject, action, obj, scope)
+
+            if result:
+                self.stdout.write(self.style.SUCCESS(f"✓ ALLOWED: {subject} {action} {obj} {scope}"))
+            else:
+                self.stdout.write(self.style.ERROR(f"✗ DENIED: {subject} {action} {obj} {scope}"))
+
+        except (ValueError, IndexError, TypeError) as e:
+            self.stdout.write(self.style.ERROR(f"✗ Error processing request: {str(e)}"))

openedx_authz/management/commands/__init__.py

@@ -0,0 +1,29 @@
+[request_definition]
+r = sub, act, obj, scope
+
+[policy_definition]
+p = sub, act, obj, eft
+
+[role_definition]
+g = _, _, _
+g2 = _, _
+
+[policy_effect]
+e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
+
+[matchers]
+# Authorization matching logic
+#
+# SCOPE MATCHING:
+# - g(r.sub, p.sub, r.scope): check if subject has role in requested scope
+# - g(r.sub, p.sub, "*"): check if subject has global role
+#
+# OBJECT MATCHING:
+# - keyMatch(r.obj, p.obj): matches object IDs using exact match or regex patterns
+#
+# ACTION MATCHING:
+# - r.act == p.act: exact action match
+# - g2(p.act, r.act): policy action implies requested action via grouping
+#
+# All conditions must be true for a policy to match
+m = (g(r.sub, p.sub, r.scope) || g(r.sub, p.sub, "*")) && keyMatch(r.obj, p.obj) && (r.act == p.act || g2(p.act, r.act))

openedx_authz/management/commands/enforcement.py

@@ -0,0 +1,18 @@
+p, role:platform_admin, act:manage, *, allow
+p, role:org_admin, act:manage, lib:*, allow
+p, role:org_editor, act:edit, lib:*, allow
+p, role:library_author, act:edit, lib:*, allow
+p, role:library_reviewer, act:read, lib:*, allow
+p, role:org_editor, act:edit, lib:restricted-content, deny
+
+g, user:admin, role:platform_admin, *
+g, user:alice, role:org_admin, org:OpenedX
+g, user:bob, role:org_editor, org:MIT
+g, user:mary, role:library_author, lib:math-basics
+g, user:john, role:library_author, lib:science-101
+g, user:sarah, role:library_reviewer, lib:math-basics
+
+g2, act:manage, act:edit
+g2, act:manage, act:delete
+g2, act:edit, act:read
+g2, act:edit, act:write

openedx_authz/management/commands/model.conf

@@ -0,0 +1,67 @@
+# ===== ADMIN GLOBAL PERMISSIONS =====
+user:admin, act:manage, lib:math-basics, org:OpenedX, True
+user:admin, act:delete, lib:science-101, org:MIT, True
+user:admin, act:read, lib:openedx-library, org:OpenedX, True
+user:admin, act:read, lib:any-library, *, True
+user:admin, act:write, lib:any-library, *, True
+user:admin, act:delete, lib:any-library, *, True
+
+# ===== ORG ADMIN PERMISSIONS =====
+user:alice, act:manage, lib:openedx-library, org:OpenedX, True
+user:alice, act:delete, lib:openedx-content, org:OpenedX, True
+user:alice, act:write, lib:math-basics, org:OpenedX, True
+user:alice, act:read, lib:openedx-test, org:OpenedX, True
+user:alice, act:write, lib:openedx-test, org:OpenedX, True
+user:alice, act:delete, lib:openedx-test, org:OpenedX, True
+user:alice, act:manage, lib:mit-library, org:MIT, False
+user:alice, act:read, lib:mit-content, org:MIT, False
+
+# ===== ORG EDITOR PERMISSIONS =====
+user:bob, act:edit, lib:mit-course, org:MIT, True
+user:bob, act:read, lib:mit-content, org:MIT, True
+user:bob, act:write, lib:mit-data, org:MIT, True
+user:bob, act:delete, lib:mit-course, org:MIT, False
+user:bob, act:manage, lib:mit-course, org:MIT, False
+
+# ===== LIBRARY AUTHOR PERMISSIONS =====
+user:mary, act:edit, lib:math-basics, lib:math-basics, True
+user:mary, act:read, lib:math-basics, lib:math-basics, True
+user:mary, act:write, lib:math-basics, lib:math-basics, True
+user:mary, act:delete, lib:math-basics, lib:math-basics, False
+user:mary, act:manage, lib:math-basics, lib:math-basics, False
+user:mary, act:edit, lib:science-101, lib:science-101, False
+user:john, act:edit, lib:science-101, lib:science-101, True
+user:john, act:read, lib:science-101, lib:science-101, True
+user:john, act:edit, lib:math-basics, lib:math-basics, False
+
+# ===== LIBRARY REVIEWER PERMISSIONS =====
+user:sarah, act:read, lib:math-basics, lib:math-basics, True
+user:sarah, act:write, lib:math-basics, lib:math-basics, False
+user:sarah, act:edit, lib:math-basics, lib:math-basics, False
+user:sarah, act:delete, lib:math-basics, lib:math-basics, False
+
+# ===== ACTION INHERITANCE TESTS =====
+user:alice, act:read, lib:openedx-test, org:OpenedX, True
+user:alice, act:write, lib:openedx-test, org:OpenedX, True
+user:alice, act:delete, lib:openedx-test, org:OpenedX, True
+user:bob, act:read, lib:mit-test, org:MIT, True
+user:bob, act:write, lib:mit-test, org:MIT, True
+user:bob, act:delete, lib:mit-test, org:MIT, False
+
+# ===== DENY RULES TESTS =====
+user:bob, act:edit, lib:restricted-content, org:MIT, False
+user:bob, act:read, lib:restricted-content, org:MIT, False
+
+# ===== SCOPE ISOLATION TESTS =====
+user:alice, act:manage, lib:openedx-lib, *, False
+user:mary, act:edit, lib:math-basics, org:OpenedX, False
+user:bob, act:edit, lib:mit-course, lib:mit-course, False
+
+# ===== UNAUTHORIZED ACCESS TESTS =====
+user:unknown, act:read, lib:math-basics, lib:math-basics, False
+user:mary, act:read, lib:science-101, lib:science-101, False
+
+# ===== SPECIAL CASE TESTS =====
+# This should be False, but it's returning True. This is a
+# special case, and we can prevent it from the Open edX layer
+user:mary, act:read, lib:science-101, lib:math-basics, False

openedx_authz/management/commands/policy.csv

@@ -159,4 +159,9 @@ def is_requirement(line):
         "Programming Language :: Python :: 3.11",
         "Programming Language :: Python :: 3.12",
     ],
+    entry_points={
+        "lms.djangoapp": [
+            "openedx_authz = openedx_authz.apps:OpenedxAuthzConfig",
+        ],
+    },
 )