feat: Add priority sort with subject hierarchy.

Casbin.UnitTest/Casbin.UnitTests.csproj

@@ -180,6 +180,18 @@
     <None Update="Examples\rbac_with_resource_roles_policy.csv">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>
+    <None Update="Examples\subject_priority_model.conf">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+    <None Update="Examples\subject_priority_policy.csv">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+    <None Update="Examples\subject_priority_model_with_domain.conf">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+    <None Update="Examples\subject_priority_policy_with_domain.csv">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
     <None Update="Examples\support_count_model.conf">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>

Casbin.UnitTest/Fixtures/TestModelFixture.cs

@@ -42,6 +42,10 @@ public class TestModelFixture
         internal readonly string _rbacWithHierarchyPolicyText = ReadTestFile("rbac_with_hierarchy_policy.csv");
         internal readonly string _rbacWithHierarchyWithDomainsPolicyText = ReadTestFile("rbac_with_hierarchy_with_domains_policy.csv");
         internal readonly string _rbacWithResourceRolePolicyText = ReadTestFile("rbac_with_resource_roles_policy.csv");
+        internal readonly string _subjectPriorityModelText = ReadTestFile("subject_priority_model.conf");
+        internal readonly string _subjectPriorityPolicyText = ReadTestFile("subject_priority_policy.csv");
+        internal readonly string _subjectPriorityWithDomainModelText = ReadTestFile("subject_priority_model_with_domain.conf");
+        internal readonly string _subjectPriorityWithDomainPolicyText = ReadTestFile("subject_priority_policy_with_domain.csv");
 
         // https://github.com/casbin/Casbin.NET/issues/154
         internal readonly string _rbacMultipleModelText = ReadTestFile("rbac_multiple_rolemanager_model.conf");

Casbin.UnitTest/ModelTests/EnforcerTest.cs

@@ -1032,5 +1032,35 @@ public void TestEnforceWithLazyLoadPolicy()
             e = DefaultEnforcer.Create(m, a);
             Assert.NotEmpty(e.GetPolicy());
         }
+
+        [Fact]
+        public void TestEnforceSubjectPriority()
+        {
+            var e = new Enforcer(TestModelFixture.GetNewTestModel(
+                _testModelFixture._subjectPriorityModelText,
+                _testModelFixture._subjectPriorityPolicyText));
+
+            TestEnforce(e, "jane", "data1", "read", true);
+            TestEnforce(e, "alice", "data1", "read", true);
+        }
+
+        [Fact]
+        public void TestEnforceSubjectPriorityWithDomain()
+        {
+            var e = new Enforcer(
+                Path.Combine("Examples", "subject_priority_model_with_domain.conf"),
+                Path.Combine("Examples", "subject_priority_policy_with_domain.csv"));
+
+            Assert.True(e.Enforce(
+                "alice",
+                "data1",
+                "domain1",
+                "write"));
+            Assert.True(e.Enforce(
+                "bob",
+                "data2",
+                "domain2",
+                "write"));
+        }
     }
 }

Casbin.UnitTest/examples/subject_priority_model.conf

@@ -0,0 +1,14 @@
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act, eft
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = subjectPriority(p.eft) || deny
+
+[matchers]
+m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

Casbin.UnitTest/examples/subject_priority_model_with_domain.conf

@@ -0,0 +1,14 @@
+[request_definition]
+r = sub, obj, dom, act
+
+[policy_definition]
+p = sub, obj, dom, act, eft
+
+[role_definition]
+g = _, _, _
+
+[policy_effect]
+e = subjectPriority(p.eft) || deny
+
+[matchers]
+m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && r.obj == p.obj && r.act == p.act

Casbin.UnitTest/examples/subject_priority_policy.csv

@@ -0,0 +1,17 @@
+p, root, data1, read, deny
+p, admin, data1, read, deny
+
+p, editor, data1, read, deny
+p, subscriber, data1, read, deny
+p, subscriber, data1, write, deny
+
+p, jane, data1, read, allow
+p, alice, data1, read, allow
+
+g, admin, root
+
+g, editor, admin
+g, subscriber, admin
+
+g, jane, editor
+g, alice, subscriber

Casbin.UnitTest/examples/subject_priority_policy_with_domain.csv

@@ -0,0 +1,7 @@
+p, admin, data1, domain1, write, deny
+p, alice, data1, domain1, write, allow
+p, admin, data2, domain2, write, deny
+p, bob, data2, domain2, write, allow
+
+g, alice, admin, domain1
+g, bob, admin, domain2

Casbin/Abstractions/Model/IModel.cs

@@ -53,5 +53,7 @@ public void BuildIncrementalRoleLinks(PolicyOperation policyOperation,
         public void RefreshPolicyStringSet();
 
         public void SortPoliciesByPriority();
+
+        public void SortPoliciesBySubjectHierarchy();
     }
 }

Casbin/Effect/DefaultEffector.cs

@@ -69,6 +69,7 @@ public PolicyEffect MergeEffects(string effectExpression, IReadOnlyList<PolicyEf
             PermConstants.PolicyEffect.DenyOverride => EffectExpressionType.DenyOverride,
             PermConstants.PolicyEffect.AllowAndDeny => EffectExpressionType.AllowAndDeny,
             PermConstants.PolicyEffect.Priority => EffectExpressionType.Priority,
+            PermConstants.PolicyEffect.SubjectPriority => EffectExpressionType.PriorityAllOverride, 
             PermConstants.PolicyEffect.PriorityDenyOverride => EffectExpressionType.PriorityDenyOverride,
             _ => throw new NotSupportedException("Not supported policy effect.")
         };

Casbin/Effect/EffectExpressionType.cs

@@ -7,6 +7,7 @@ public enum EffectExpressionType
         AllowAndDeny,
         DenyOverride,
         Priority,
-        PriorityDenyOverride
+        PriorityDenyOverride,
+        PriorityAllOverride
     }
 }

Casbin/Enforcer.cs

@@ -42,6 +42,8 @@ public Enforcer(IModel model, IReadOnlyAdapter adapter = null, bool lazyLoadPoli
             {
                 this.LoadPolicy();
             }
+            Model.SortPoliciesByPriority();
+            Model.SortPoliciesBySubjectHierarchy();
         }
 
         #region Options

Casbin/Evaluation/EffiectEvaluation.cs

@@ -78,6 +78,20 @@ internal static bool TryEvaluate(PolicyEffect effect, EffectExpressionType effec
                     }
                     break;
 
+                case EffectExpressionType.PriorityAllOverride:
+                    switch (effect)
+                    {
+                        case PolicyEffect.Allow:
+                            result = true;
+                            hitPolicy = true;
+                            return false;
+                        case PolicyEffect.Deny:
+                            result = false;
+                            hitPolicy = true;
+                            return false;
+                    }
+                    break;
+
                 case EffectExpressionType.Custom:
                     // TODO: Support custom policy effect.
                     break;

Casbin/Extensions/Enforcer/EnforcerExtension.cs

@@ -237,6 +237,7 @@ public static bool LoadPolicy(this IEnforcer enforcer)
 
             enforcer.ClearCache();
             enforcer.Model.RefreshPolicyStringSet();
+
             if (enforcer.AutoBuildRoleLinks)
             {
                 enforcer.BuildRoleLinks();
@@ -258,6 +259,7 @@ public static async Task<bool> LoadPolicyAsync(this IEnforcer enforcer)
 
             enforcer.ClearCache();
             enforcer.Model.RefreshPolicyStringSet();
+
             if (enforcer.AutoBuildRoleLinks)
             {
                 enforcer.BuildRoleLinks();

Casbin/Model/Assertion.cs

@@ -237,5 +237,55 @@ int PolicyComparison(IPolicyValues p1, IPolicyValues p2)
             _policy.Sort(PolicyComparison);
             return true;
         }
+
+        private bool TryGetSubjectHierarchyDomainIndex(out int index)
+        {
+            if (Tokens is null)
+            {
+                index = -1;
+                return false;
+            }
+            return Tokens.TryGetValue("dom", out index);
+        }
+
+        private bool TryGetSubjectHierarchySubjectIndex(out int index)
+        {
+            if (Tokens is null)
+            {
+                index = -1;
+                return false;
+            }
+            return Tokens.TryGetValue("sub", out index);
+        }
+
+
+        internal bool TrySortPoliciesBySubjectHierarchy(Dictionary<string, int> subjectHierarchyMap, Func<string, string, string> nameFormatter)
+        {
+            if(TryGetSubjectHierarchyDomainIndex(out int domainIndex) is false)
+            {
+                domainIndex = -1;
+            }
+            if (TryGetSubjectHierarchySubjectIndex(out int subjectIndex) is false)
+            {
+                return false;
+            }
+
+
+            int PolicyComparison(IPolicyValues p1, IPolicyValues p2)
+            {
+                string domain1 = "", domain2 = "";
+                if(domainIndex != -1)
+                {
+                    domain1 = p1[domainIndex];
+                    domain2 = p2[domainIndex];
+                }
+                string name1 = nameFormatter(domain1, p1[subjectIndex]);
+                string name2 = nameFormatter(domain2, p2[subjectIndex]);
+
+                return subjectHierarchyMap[name1] - subjectHierarchyMap[name2];
+            }
+            _policy.Sort(PolicyComparison);
+            return true;
+        }
     }
 }

Casbin/Model/DefaultModel.cs

@@ -262,6 +262,76 @@ public void SortPoliciesByPriority()
             }
         }
 
+        public void SortPoliciesBySubjectHierarchy()
+        {
+            if (Sections.Count == 0)
+            {
+                return;
+            }
+            if (!Sections[PermConstants.DefaultPolicyEffectType][PermConstants.DefaultPolicyEffectType].Value.Equals(PermConstants.PolicyEffect.SubjectPriority))
+            {
+                return;
+            }
+            var subjectHierarchyMap = GetSubjectHierarchyMap(Sections[PermConstants.DefaultRoleType][PermConstants.DefaultRoleType].Policy);
+            foreach (var keyValuePair in Sections[PermConstants.DefaultPolicyType])
+            {
+                var assertion = keyValuePair.Value;
+                assertion.TrySortPoliciesBySubjectHierarchy(subjectHierarchyMap, GetNameWithDomain);
+            }
+        }
+
+        private string GetNameWithDomain(string domain, string name)
+        {
+            return domain + PermConstants.SubjectPrioritySeparatorString + name;
+        }
+
+        private Dictionary<string, int> GetSubjectHierarchyMap(IReadOnlyList<IPolicyValues> policies)
+        {
+            Dictionary<string, int> refer = new Dictionary<string, int>();
+            Dictionary<string, int> res = new Dictionary<string, int>();
+            Dictionary<string, List<string>> policyChildenMap = new Dictionary<string, List<string>>();
+            foreach(var policy in policies)
+            {
+                string domain = policy.Count > 2 ? policy[2] : null;
+                string child = GetNameWithDomain(domain, policy[0]);
+                string parent = GetNameWithDomain(domain, policy[1]);
+                if (policyChildenMap.ContainsKey(parent))
+                {
+                    policyChildenMap[parent].Add(child);
+                }
+                else
+                {
+                    policyChildenMap[parent] = new List<string>(new string[] { child });
+                }
+                refer[parent] = refer[child] = 0;
+            }
+            Queue<string> q = new Queue<string>();
+            foreach(var keyValuePair in refer)
+            {
+                if (keyValuePair.Value != 0) continue;
+                int level = 0;
+                q.Enqueue(keyValuePair.Key);
+                while (q.Count > 0)
+                {
+                    int size = q.Count;
+                    while (size-- > 0)
+                    {
+                        var node = q.Dequeue();
+                        res[node] = level;
+                        if (policyChildenMap.ContainsKey(node))
+                        {
+                            foreach(var child in policyChildenMap[node])
+                            {
+                                q.Enqueue(child);
+                            }
+                        }
+                    }
+                    level++;
+                }
+            }
+            return res; 
+        }
+
         private void LoadModel(IConfig config)
         {
             LoadSection(config, PermConstants.Section.RequestSection);

Casbin/PermConstants.cs

@@ -4,6 +4,7 @@ public static class PermConstants
     {
         public const char PolicySeparatorChar = ',';
         public const string PolicySeparatorString = ", "; // include a white space
+        public const string SubjectPrioritySeparatorString = "::";
 
         public const string DefaultRequestType = "r";
         public const string RequestType2 = "r2";
@@ -60,6 +61,7 @@ public static class PolicyEffect
             public const string DenyOverride = "!some(where (p.eft == deny))";
             public const string AllowAndDeny = "some(where (p.eft == allow)) && !some(where (p.eft == deny))";
             public const string Priority = "priority(p.eft) || deny";
+            public const string SubjectPriority = "subjectPriority(p.eft) || deny";
             public const string PriorityDenyOverride = "priority(p.eft) && !some(where (p.eft == deny))";
         }
     }