fix stackoverflow when circular link detected

examples/rbac_basic_role_model.conf

@@ -0,0 +1,14 @@
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = g(r.sub, p.sub) && r.obj == p.obj && regexMatch(r.act, p.act)

examples/rbac_basic_role_policy.csv

@@ -0,0 +1,5 @@
+p, book_admin , /book/1, GET
+p, pen_admin , /pen/1, GET
+
+g, *, book_admin 
+g, *, pen_admin

examples/rbac_with_pattern_domain_model.conf

@@ -0,0 +1,15 @@
+[request_definition]
+r = sub, dom, obj, act
+
+[policy_definition]
+p = sub, dom, obj, act
+
+[role_definition]
+g = _, _, _
+g2 = _, _, _
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && g2(r.obj, p.obj, r.dom) && regexMatch(r.act, p.act)

examples/rbac_with_pattern_domain_policy.csv

@@ -0,0 +1,10 @@
+p, alice, domain2, /pen/1, GET
+p, alice, domain1, /book/1, GET
+
+p, book_admin, domain1, book_group, GET
+p, pen_admin, domain2, pen_group, GET
+
+g, alice, book_admin, domain1
+g, bob, pen_admin, domain2
+g2, /book/:id, book_group, domain1
+g2, /pen/:id, pen_group, domain2

src/rbac/default_role_manager.rs

@@ -39,14 +39,10 @@ impl DefaultRoleManager {
         );
 
         if let Some(matching_fn) = self.matching_fn {
-            for (n, r) in &mut self
-                .all_roles
-                .iter()
-                .filter(|(key, _)| key.as_str() != name)
-            {
-                if matching_fn(name.to_owned(), n.to_owned()) {
-                    role.write().unwrap().add_role(Arc::clone(r));
-                }
+            for (_, r) in &mut self.all_roles.iter().filter(|(key, _)| {
+                key.as_str() != name && matching_fn(name.to_owned(), (*key).to_owned())
+            }) {
+                role.write().unwrap().add_role(Arc::clone(r));
             }
         }
 

src/rbac_api.rs

@@ -244,17 +244,20 @@ where
 
     fn get_implicit_roles_for_user(&mut self, name: &str, domain: Option<&str>) -> Vec<String> {
         let mut res: HashSet<String> = HashSet::new();
-        let roles = self
-            .get_role_manager()
-            .write()
-            .unwrap()
-            .get_roles(name, domain);
-        res.extend(roles.clone());
-
-        roles.iter().for_each(|role| {
-            res.extend(self.get_implicit_roles_for_user(role, domain));
-        });
-
+        let mut q: Vec<String> = vec![name.to_owned()];
+        while !q.is_empty() {
+            let name = q.swap_remove(0);
+            let roles = self
+                .get_role_manager()
+                .write()
+                .unwrap()
+                .get_roles(&name, domain);
+            for r in roles.into_iter() {
+                if res.insert(r.to_owned()) {
+                    q.push(r);
+                }
+            }
+        }
         res.into_iter().collect()
     }
 
@@ -1092,6 +1095,100 @@ mod tests {
         );
     }
 
+    #[cfg_attr(feature = "runtime-async-std", async_std::test)]
+    #[cfg_attr(feature = "runtime-tokio", tokio::test)]
+    async fn test_pattern_matching_fn_with_domain() {
+        let mut e = Enforcer::new(
+            "examples/rbac_with_pattern_domain_model.conf",
+            "examples/rbac_with_pattern_domain_policy.csv",
+        )
+        .await
+        .unwrap();
+
+        use crate::model::key_match2;
+
+        e.add_matching_fn(key_match2).unwrap();
+
+        assert!(e
+            .enforce(&["alice", "domain2", "/pen/1", "GET"])
+            .await
+            .unwrap());
+        assert!(e
+            .enforce(&["alice", "domain1", "/book/1", "GET"])
+            .await
+            .unwrap());
+
+        assert!(e
+            .enforce(&["alice", "domain1", "/book/2", "GET"])
+            .await
+            .unwrap());
+        assert!(!e
+            .enforce(&["alice", "domain_unknown", "/book/2", "GET"])
+            .await
+            .unwrap());
+        assert!(!e
+            .enforce(&["alice", "domain2", "/pen/2", "GET"])
+            .await
+            .unwrap());
+
+        assert!(e
+            .enforce(&["bob", "domain2", "/pen/2", "GET"])
+            .await
+            .unwrap());
+        assert!(!e
+            .enforce(&["bob", "domain_unknown", "/pen/2", "GET"])
+            .await
+            .unwrap());
+        assert!(!e
+            .enforce(&["bob", "domain1", "/book/2", "GET"])
+            .await
+            .unwrap());
+
+        assert_eq!(
+            vec!["/book/:id", "book_group"],
+            sort_unstable(e.get_implicit_roles_for_user("/book/1", Some("domain1")))
+        );
+
+        assert_eq!(
+            vec!["/pen/:id", "pen_group"],
+            sort_unstable(e.get_implicit_roles_for_user("/pen/1", Some("domain2")))
+        );
+    }
+
+    #[cfg_attr(feature = "runtime-async-std", async_std::test)]
+    #[cfg_attr(feature = "runtime-tokio", tokio::test)]
+    async fn test_pattern_matching_basic_role() {
+        let mut e = Enforcer::new(
+            "examples/rbac_basic_role_model.conf",
+            "examples/rbac_basic_role_policy.csv",
+        )
+        .await
+        .unwrap();
+
+        use crate::model::key_match;
+
+        e.add_matching_fn(key_match).unwrap();
+
+        assert!(e.enforce(&["alice", "/pen/1", "GET"]).await.unwrap());
+        assert!(e.enforce(&["alice", "/book/1", "GET"]).await.unwrap());
+        assert!(e.enforce(&["bob", "/pen/1", "GET"]).await.unwrap());
+        assert!(e.enforce(&["bob", "/book/1", "GET"]).await.unwrap());
+
+        assert!(!e.enforce(&["alice", "/pen/2", "GET"]).await.unwrap());
+        assert!(!e.enforce(&["alice", "/book/2", "GET"]).await.unwrap());
+        assert!(!e.enforce(&["bob", "/pen/2", "GET"]).await.unwrap());
+        assert!(!e.enforce(&["bob", "/book/2", "GET"]).await.unwrap());
+
+        assert_eq!(
+            vec!["*", "book_admin", "pen_admin"],
+            sort_unstable(e.get_implicit_roles_for_user("alice", None))
+        );
+        assert_eq!(
+            vec!["*", "book_admin", "pen_admin"],
+            sort_unstable(e.get_implicit_roles_for_user("bob", None))
+        );
+    }
+
     #[cfg_attr(feature = "runtime-async-std", async_std::test)]
     #[cfg_attr(feature = "runtime-tokio", tokio::test)]
     async fn test_implicit_users_for_permission() {

src/util.rs

@@ -33,7 +33,7 @@ pub fn escape_eval(mut m: String, scope: &Scope) -> String {
                 .replace(m.as_str(), escape_assertion(format!("({})", &val)).as_str())
                 .to_string();
         } else {
-            panic!("eval(*) must make sure * can be evaluated");
+            panic!("{} not found in scope", &caps["rule"]);
         }
     }
     m