MCPcopy
hub / github.com/apache/casbin / validateSOD

Method validateSOD

model/constraint.go:202–219  ·  view source on GitHub ↗

validateSOD validates a Separation of Duties constraint.

(constraint *Constraint, groupingPolicy [][]string)

Source from the content-addressed store, hash-verified

200
201// validateSOD validates a Separation of Duties constraint.
202func (model Model) validateSOD(constraint *Constraint, groupingPolicy [][]string) error {
203 if len(constraint.Roles) != 2 {
204 return errors.NewConstraintViolationError(constraint.Key, "sod requires exactly 2 roles")
205 }
206
207 role1, role2 := constraint.Roles[0], constraint.Roles[1]
208 userRoles := buildUserRoleMap(groupingPolicy)
209
210 // Check if any user has both roles
211 for user, roles := range userRoles {
212 if roles[role1] && roles[role2] {
213 return errors.NewConstraintViolationError(constraint.Key,
214 fmt.Sprintf("user '%s' cannot have both roles '%s' and '%s'", user, role1, role2))
215 }
216 }
217
218 return nil
219}
220
221// validateSODMax validates a maximum role count constraint for a role set.
222func (model Model) validateSODMax(constraint *Constraint, groupingPolicy [][]string) error {

Callers 1

validateConstraintMethod · 0.95

Calls 2

buildUserRoleMapFunction · 0.85

Tested by

no test coverage detected