test: casbin api testing

Author: BryanttV

authz.policy

@@ -0,0 +1,73 @@
+############################################
+# Open edX AuthZ — Casbin Policy Configuration
+#
+# This file defines policies that work with the model configuration.
+# Uses namespaced subjects, actions, and scopes for maximum flexibility.
+############################################
+
+# Policy definitions - format: p = subject(role), action, scope, effect
+# For role definitions use: lib*, course:*, org:* to specify the scope of the role
+
+# Library Admin Role Policies
+p, role:library_admin, lib:math_101, act:delete_library, allow
+p, role:library_admin, lib:math_101, act:publish_library, allow
+p, role:library_admin, act:manage_library_team, lib:*, allow
+p, role:library_admin, act:manage_library_tags, lib:*, allow
+p, role:library_admin, act:delete_library_content, lib:*, allow
+p, role:library_admin, act:publish_library_content, lib:*, allow
+p, role:library_admin, act:delete_library_collection, lib:*, allow
+p, role:library_admin, act:create_library, lib:*, allow
+p, role:library_admin, act:create_library_collection, lib:*, allow
+
+# Library Author Role Policies
+p, role:library_author, act:delete_library_content, lib:*, allow
+p, role:library_author, act:publish_library_content, lib:*, allow
+p, role:library_author, act:edit_library, lib:*, allow
+p, role:library_author, act:manage_library_tags, lib:*, allow
+p, role:library_author, act:create_library_collection, lib:*, allow
+p, role:library_author, act:edit_library_collection, lib:*, allow
+p, role:library_author, act:delete_library_collection, lib:*, allow
+
+# Library Collaborator Role Policies
+p, role:library_collaborator, act:edit_library, lib:*, allow
+p, role:library_collaborator, act:delete_library_content, lib:*, allow
+p, role:library_collaborator, act:manage_library_tags, lib:*, allow
+p, role:library_collaborator, act:create_library_collection, lib:*, allow
+p, role:library_collaborator, act:edit_library_collection, lib:*, allow
+p, role:library_collaborator, act:delete_library_collection, lib:*, allow
+
+# Library User Role Policies
+p, role:library_user, act:view_library, lib:*, allow
+p, role:library_user, act:view_library_team, lib:*, allow
+p, role:library_user, act:reuse_library_content, lib:*, allow
+
+# Example negative rule (deny overrides allow)
+# p, role:restricted_user, act:delete, course-v1:sensitive:*, deny
+
+# User-to-Role assignments (g) - format: g = user, role, scope
+# These would be populated dynamically based on actual user assignments
+#
+# Examples using lib: namespace format:
+g, user:alice_admin, role:library_admin, lib:math_101
+g, user:bob_author, role:library_author, lib:history_201
+g, user:carol_collaborator, role:library_collaborator, lib:science_301
+g, user:dave_user, role:library_user, lib:english_101
+g, user:eve_multi, role:library_admin, lib:physics_401
+g, user:eve_multi, role:library_author, lib:chemistry_501
+g, user:frank_global, role:library_user, *
+
+# Action Inheritance (g2) - format: g2 = parent_action, child_action
+# The logical inheritance hierarchy for actions
+g2, act:edit_library, act:delete_library
+g2, act:view_library, act:edit_library
+g2, act:edit_library, act:create_library
+g2, act:view_library, act:publish_library
+g2, act:view_library_team, act:manage_library_team
+g2, act:view_library_tags, act:manage_library_tags
+g2, act:edit_library_collection, act:delete_library_collection
+g2, act:view_library_collection, act:edit_library_collection
+g2, act:edit_library_collection, act:create_library_collection
+g2, act:view_library_content, act:edit_library_content
+g2, act:edit_library_content, act:delete_library_content
+g2, act:view_library_content, act:publish_library_content
+g2, act:view_library_content, act:reuse_library_content

main.py

@@ -0,0 +1,38 @@
+"""
+This is a simple example of how to use Casbin to enforce policies.
+"""
+
+from casbin import Enforcer
+
+# policy_file = "simple-policy.csv"
+# model_file = "simple-model.conf"
+
+policy_file = "authz.policy"
+model_file = "model.conf"
+
+enforcer = Enforcer(model_file, policy_file)
+
+enforcer.load_policy()
+
+
+# Complex Example
+
+# Get permissions for a user
+print(enforcer.get_permissions_for_user("role:library_admin"))
+
+# # Get permissions for a user in a specific domain
+# print(enforcer.get_permissions_for_user_in_domain("alice", "lib:math_101"))
+
+# Get implicit permissions for a user
+print(enforcer.get_implicit_permissions_for_user("user:alice_admin", "lib:math_101"))
+print(enforcer.get_implicit_permissions_for_user("user:frank_global"))
+
+# Get roles for a user in a specific domain
+print(enforcer.get_roles_for_user_in_domain("user:alice_admin", "lib:math_101"))
+print(enforcer.get_roles_for_user_in_domain("user:frank_global", "*"))
+
+# Get all roles
+print(enforcer.get_role_manager().get_roles("user:alice_admin", "lib:math_101"))
+
+# Print all roles
+print(enforcer.get_role_manager().print_roles())

model.conf

@@ -0,0 +1,92 @@
+############################################
+# Open edX AuthZ — Casbin Model Configuration
+#
+# This model supports:
+# - Scoped role assignments (user roles tied to specific contexts)
+# - Action grouping (manage → read/write/edit/delete to reduce duplication)
+# - System-wide roles (global scope "*" applies everywhere)
+# - Negative rules (deny overrides allow for exceptions)
+# - Namespace support (course:*, lib:*, org:*, etc.)
+# - Extensibility (new resource types just need new namespaces)
+############################################
+
+[request_definition]
+# Request format: subject (user), action, scope (specific resource being accessed)
+#
+# sub   = subject/principal with namespace (e.g., "user:alice", "service:lms")
+# act   = action with namespace (e.g., "act:read", "act:manage", "act:edit-courses")
+# scope = authorization scope context (e.g., "org:OpenedX", "course-v1:...", "*" for global)
+#
+# SCOPE SEMANTICS:
+# Scope determines the authorization context and which role assignments apply
+# - "*"             = global scope (system-wide roles apply everywhere)
+# - "org:..."       = organization-scoped roles (apply within specific organization)
+# - "course-v1:..." = course-scoped roles (apply within specific course)
+# - "lib:..."       = library-scoped roles (apply within specific library)
+#
+# Application must provide appropriate scope based on business logic.
+r = sub, act, scope
+
+[policy_definition]
+# Policy format: subject (role), action, scope (pattern), effect
+#
+# sub   = role or user with namespace (e.g., "role:org_admin", "user:bob")
+# act   = action identifier (e.g., "act:manage", "act:read", "act:edit-courses")
+# scope = scope where policy applies (e.g., "*", "org:*", "course-v1:*", "lib:*")
+# eft   = "allow" or "deny" (deny overrides allow for exceptions)
+p = sub, act, scope, eft
+
+[role_definition]
+# g: Role assignments with scope
+# Format: user/subject, role, scope
+#
+# Examples:
+# g, user:alice, role:org_admin, org:OpenedX         # Alice is org admin for OpenedX
+# g, user:bob, role:course_instructor, course-v1:... # Bob is instructor for specific course
+# g, user:carol, role:library_admin, *               # Carol is global library admin
+#
+# Role hierarchy (optional):
+# g, role:org_admin, role:org_editor, org:OpenedX    # org_admin inherits org_editor permissions
+g = _, _, _
+
+# g2: Action grouping and implications
+# Maps high-level actions to specific actions to reduce policy duplication
+#
+# Examples:
+# g2, act:manage, act:edit        # manage implies edit
+# g2, act:manage, act:delete      # manage implies delete
+# g2, act:edit-courses, act:read  # edit-courses implies read (for resource access)
+# g2, act:edit-courses, act:write # edit-courses implies write (for resource modification)
+g2 = _, _
+
+[policy_effect]
+# Deny-override policy: allow if any rule allows AND no rule denies
+# This enables negative rules/exceptions (e.g., "manage all courses except course Z")
+#
+# Evaluation order:
+# 1. Check if any policy grants allow
+# 2. Check if any policy specifies deny
+# 3. If deny found, result is deny (exceptions win)
+# 4. If allow found and no deny, result is allow
+# 5. If no matches, result is deny (default secure)
+e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
+
+[matchers]
+# Authorization matching logic
+#
+# ROLE MATCHING:
+# - g(r.sub, p.sub, r.scope): check if subject has role in requested scope
+# - g(r.sub, p.sub, "*"): check if subject has role in all resources in the scope
+#
+# SCOPE MATCHING:
+# - keyMatch(r.scope, p.scope): scope matches pattern
+#
+# ACTION MATCHING:
+# - r.act == p.act: exact action match
+# - g2(p.act, r.act): policy action implies requested action via grouping
+#
+# All conditions must be true for a policy to match:
+# 1. Subject must have role in scope OR global role
+# 2. Scope must match pattern
+# 3. Action must match OR inherit via action grouping
+m = (g(r.sub, p.sub, r.scope) || g(r.sub, p.sub, "*")) && keyMatch(r.scope, p.scope) && (r.act == p.act || g2(p.act, r.act))

simple-model.conf

@@ -0,0 +1,14 @@
+[request_definition]
+r = sub, dom, obj, act
+
+[policy_definition]
+p = sub, dom, obj, act
+
+[role_definition]
+g = _, _, _
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && r.obj == p.obj && r.act == p.act

simple-policy.csv

@@ -0,0 +1,7 @@
+p, admin, domain1, data1, read
+p, admin, domain1, data1, write
+p, admin, domain2, data2, read
+p, admin, domain2, data2, write
+
+g, alice, admin, domain1
+g, bob, admin, domain2