(t *testing.T)
| 242 | } |
| 243 | |
| 244 | func TestRBACModelWithDomainTokenRename(t *testing.T) { |
| 245 | // Test that renaming the domain token from "dom" to another name (e.g., "dom1") |
| 246 | // still works correctly. This is a regression test for the issue where the |
| 247 | // hardcoded "r_dom" and "p_dom" strings prevented proper domain matching. |
| 248 | |
| 249 | // Test with standard "dom" token |
| 250 | modelText1 := ` |
| 251 | [request_definition] |
| 252 | r = sub, dom, obj, act |
| 253 | |
| 254 | [policy_definition] |
| 255 | p = sub, dom, obj, act |
| 256 | |
| 257 | [role_definition] |
| 258 | g = _, _, _ |
| 259 | |
| 260 | [policy_effect] |
| 261 | e = some(where (p.eft == allow)) |
| 262 | |
| 263 | [matchers] |
| 264 | m = g(r.sub, p.sub, r.dom) && keyMatch(r.dom, p.dom) && r.obj == p.obj && r.act == p.act |
| 265 | ` |
| 266 | m1, _ := model.NewModelFromString(modelText1) |
| 267 | e1, _ := NewEnforcer(m1) |
| 268 | _, _ = e1.AddPolicy("admin", "domain1", "data1", "read") |
| 269 | _, _ = e1.AddGroupingPolicy("alice", "admin", "domain*") |
| 270 | |
| 271 | testDomainEnforce(t, e1, "alice", "domain1", "data1", "read", true) |
| 272 | testDomainEnforce(t, e1, "alice", "domain2", "data1", "read", false) |
| 273 | |
| 274 | // Test with renamed "dom1" token |
| 275 | modelText2 := ` |
| 276 | [request_definition] |
| 277 | r = sub, dom1, obj, act |
| 278 | |
| 279 | [policy_definition] |
| 280 | p = sub, dom1, obj, act |
| 281 | |
| 282 | [role_definition] |
| 283 | g = _, _, _ |
| 284 | |
| 285 | [policy_effect] |
| 286 | e = some(where (p.eft == allow)) |
| 287 | |
| 288 | [matchers] |
| 289 | m = g(r.sub, p.sub, r.dom1) && keyMatch(r.dom1, p.dom1) && r.obj == p.obj && r.act == p.act |
| 290 | ` |
| 291 | m2, _ := model.NewModelFromString(modelText2) |
| 292 | e2, _ := NewEnforcer(m2) |
| 293 | _, _ = e2.AddPolicy("admin", "domain1", "data1", "read") |
| 294 | _, _ = e2.AddGroupingPolicy("alice", "admin", "domain*") |
| 295 | |
| 296 | testDomainEnforce(t, e2, "alice", "domain1", "data1", "read", true) |
| 297 | testDomainEnforce(t, e2, "alice", "domain2", "data1", "read", false) |
| 298 | |
| 299 | // Test with renamed "tenant" token |
| 300 | modelText3 := ` |
| 301 | [request_definition] |
nothing calls this directly
no test coverage detected
searching dependent graphs…