POC try scaling abac rules

[GopherJ]

This PR allows to define in model some thing like this, I would like to solve: casbin/casbin#354

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = Any(_) && r.obj == p.obj && r.act == p.act

and in policy we can then write like this:

p, Any(r.sub.age > 18), /data1, read

This policy means that we don't care who is the person sending request, but his/her age should be greater than 18

I made it works in casbin-rs, not sure if we should do like this but I think it may helps solving some problems.

Also can the syntax be better?

[codecov]

Codecov Report

Merging #121 into master will increase coverage by 0.03%.
The diff coverage is 92.10%.

@@            Coverage Diff             @@
##           master     #121      +/-   ##
==========================================
+ Coverage   87.20%   87.23%   +0.03%     
==========================================
  Files          19       19              
  Lines        2961     2992      +31     
==========================================
+ Hits         2582     2610      +28     
- Misses        379      382       +3     

Impacted Files	Coverage Δ
src/enforcer.rs	91.76% <91.66%> (-0.06%)	⬇️
src/util.rs	97.43% <92.85%> (-2.57%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 222c27d...d3207c5. Read the comment docs.

[hsluoyz]

@GopherJ very good work! Actually it inspires me about a better grammar:

model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub_rule, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = eval(p.sub_rule) && r.obj == p.obj && r.act == p.act

policy:

p, any(r.sub.age > 18), /data1, read

I made this change because Any(r.sub.age > 18) is rule instead of subject itself. eval() is a built-in function that evaluates a boolean expression into a boolean. The user needs to make sure any(r.sub.age > 18) is a valid expression for Casbin matcher.

[GopherJ]

@hsluoyz I love the new grammar because Any is just what I used to test and avoid conflicts ~~ sub_rule is a good design which refers to an ABAC rule.

So just to think about implementation:

we should check if matcher has eval(*) right? If yes, we replace it by the inside variable's value and add a () to avoid && || priority problem.

[hsluoyz]

I think your implementation is simple and correct. Thumbs up!

[GopherJ]

ok thanks!

[hsluoyz]

lgtm

[hsluoyz]

As next step, we can:

1. Sync this feature to Golang' Casbin and solve this issue: Scaling ABAC Rules casbin#354
2. Add it to ABAC docs: https://casbin.org/docs/en/abac