Add LoadIncrementalFilteredPolicy functionality

Co-authored-by: hsluoyz <[email protected]>

Author: Copilot

Casbin.UnitTests/PersistTests/IncrementalFilteredAdapterTest.cs

@@ -0,0 +1,171 @@
+using System.IO;
+using System.Threading.Tasks;
+using Casbin.Model;
+using Casbin.Persist;
+using Casbin.Persist.Adapter.File;
+using Xunit;
+
+namespace Casbin.UnitTests.PersistTests;
+
+public class IncrementalFilteredAdapterTest
+{
+    [Fact]
+    public void TestLoadIncrementalFilteredPolicy()
+    {
+        Enforcer e = new("Examples/rbac_model.conf");
+        Assert.False(e.Enforce("alice", "data1", "read"));
+
+        FileAdapter a = new("Examples/rbac_policy.csv");
+        e.SetAdapter(a);
+        
+        // Load only p policies for alice
+        e.LoadFilteredPolicy(new PolicyFilter(PermConstants.DefaultPolicyType, 0, Policy.ValuesFrom(["alice"])));
+        
+        // alice can read data1 (from p policy)
+        Assert.True(e.Enforce("alice", "data1", "read"));
+        // bob cannot write data2 (not loaded yet)
+        Assert.False(e.Enforce("bob", "data2", "write"));
+        
+        // Incrementally load p policies for data2_admin role
+        e.LoadIncrementalFilteredPolicy(new PolicyFilter(PermConstants.DefaultPolicyType, 0, Policy.ValuesFrom(["data2_admin"])));
+        
+        // alice still can only read data1 (no role link yet)
+        Assert.True(e.Enforce("alice", "data1", "read"));
+        Assert.False(e.Enforce("alice", "data2", "read"));
+        
+        // Incrementally load g policies for alice
+        e.LoadIncrementalFilteredPolicy(new PolicyFilter(PermConstants.DefaultRoleType, 0, Policy.ValuesFrom(["alice"])));
+        
+        // Now alice can read data2 through role inheritance
+        Assert.True(e.Enforce("alice", "data2", "read"));
+        Assert.True(e.Enforce("alice", "data2", "write"));
+        // bob still cannot write data2 (not loaded)
+        Assert.False(e.Enforce("bob", "data2", "write"));
+    }
+
+    [Fact]
+    public async Task TestLoadIncrementalFilteredPolicyAsync()
+    {
+        Enforcer e = new("Examples/rbac_model.conf");
+        Assert.False(await e.EnforceAsync("alice", "data1", "read"));
+
+        FileAdapter a = new("Examples/rbac_policy.csv");
+        e.SetAdapter(a);
+        
+        // Load only p policies for alice
+        await e.LoadFilteredPolicyAsync(new PolicyFilter(PermConstants.DefaultPolicyType, 0, Policy.ValuesFrom(["alice"])));
+        
+        // alice can read data1 (from p policy)
+        Assert.True(await e.EnforceAsync("alice", "data1", "read"));
+        // bob cannot write data2 (not loaded yet)
+        Assert.False(await e.EnforceAsync("bob", "data2", "write"));
+        
+        // Incrementally load p policies for data2_admin role
+        await e.LoadIncrementalFilteredPolicyAsync(new PolicyFilter(PermConstants.DefaultPolicyType, 0, Policy.ValuesFrom(["data2_admin"])));
+        
+        // alice still can only read data1 (no role link yet)
+        Assert.True(await e.EnforceAsync("alice", "data1", "read"));
+        Assert.False(await e.EnforceAsync("alice", "data2", "read"));
+        
+        // Incrementally load g policies for alice
+        await e.LoadIncrementalFilteredPolicyAsync(new PolicyFilter(PermConstants.DefaultRoleType, 0, Policy.ValuesFrom(["alice"])));
+        
+        // Now alice can read data2 through role inheritance
+        Assert.True(await e.EnforceAsync("alice", "data2", "read"));
+        Assert.True(await e.EnforceAsync("alice", "data2", "write"));
+        // bob still cannot write data2 (not loaded)
+        Assert.False(await e.EnforceAsync("bob", "data2", "write"));
+    }
+
+    [Fact]
+    public void TestLoadIncrementalFilteredPolicyMultiplePTypes()
+    {
+        Enforcer e = new("Examples/rbac_model.conf");
+        Assert.False(e.Enforce("alice", "data1", "read"));
+
+        FileAdapter a = new("Examples/rbac_policy.csv");
+        e.SetAdapter(a);
+        
+        // Load only p policies for alice
+        e.LoadFilteredPolicy(new PolicyFilter(PermConstants.DefaultPolicyType, 0, Policy.ValuesFrom(["alice"])));
+        
+        // alice can read data1
+        Assert.True(e.Enforce("alice", "data1", "read"));
+        // bob cannot write data2
+        Assert.False(e.Enforce("bob", "data2", "write"));
+        
+        // Incrementally load p policies for bob
+        e.LoadIncrementalFilteredPolicy(new PolicyFilter(PermConstants.DefaultPolicyType, 0, Policy.ValuesFrom(["bob"])));
+        
+        // alice still can read data1
+        Assert.True(e.Enforce("alice", "data1", "read"));
+        // Now bob can write data2
+        Assert.True(e.Enforce("bob", "data2", "write"));
+    }
+
+    [Fact]
+    public async Task TestLoadIncrementalFilteredPolicyMultiplePTypesAsync()
+    {
+        Enforcer e = new("Examples/rbac_model.conf");
+        Assert.False(await e.EnforceAsync("alice", "data1", "read"));
+
+        FileAdapter a = new("Examples/rbac_policy.csv");
+        e.SetAdapter(a);
+        
+        // Load only p policies for alice
+        await e.LoadFilteredPolicyAsync(new PolicyFilter(PermConstants.DefaultPolicyType, 0, Policy.ValuesFrom(["alice"])));
+        
+        // alice can read data1
+        Assert.True(await e.EnforceAsync("alice", "data1", "read"));
+        // bob cannot write data2
+        Assert.False(await e.EnforceAsync("bob", "data2", "write"));
+        
+        // Incrementally load p policies for bob
+        await e.LoadIncrementalFilteredPolicyAsync(new PolicyFilter(PermConstants.DefaultPolicyType, 0, Policy.ValuesFrom(["bob"])));
+        
+        // alice still can read data1
+        Assert.True(await e.EnforceAsync("alice", "data1", "read"));
+        // Now bob can write data2
+        Assert.True(await e.EnforceAsync("bob", "data2", "write"));
+    }
+
+    [Fact]
+    public void TestLoadFilteredPolicyClearsExistingPolicies()
+    {
+        Enforcer e = new("Examples/rbac_model.conf");
+        FileAdapter a = new("Examples/rbac_policy.csv");
+        e.SetAdapter(a);
+        
+        // Load only p policies for alice
+        e.LoadFilteredPolicy(new PolicyFilter(PermConstants.DefaultPolicyType, 0, Policy.ValuesFrom(["alice"])));
+        Assert.True(e.Enforce("alice", "data1", "read"));
+        
+        // Load filtered policy again (should clear previous policies)
+        e.LoadFilteredPolicy(new PolicyFilter(PermConstants.DefaultPolicyType, 0, Policy.ValuesFrom(["bob"])));
+        
+        // alice can no longer read data1 (previous policies cleared)
+        Assert.False(e.Enforce("alice", "data1", "read"));
+        // bob can write data2 (new filtered policies loaded)
+        Assert.True(e.Enforce("bob", "data2", "write"));
+    }
+
+    [Fact]
+    public async Task TestLoadFilteredPolicyClearsExistingPoliciesAsync()
+    {
+        Enforcer e = new("Examples/rbac_model.conf");
+        FileAdapter a = new("Examples/rbac_policy.csv");
+        e.SetAdapter(a);
+        
+        // Load only p policies for alice
+        await e.LoadFilteredPolicyAsync(new PolicyFilter(PermConstants.DefaultPolicyType, 0, Policy.ValuesFrom(["alice"])));
+        Assert.True(await e.EnforceAsync("alice", "data1", "read"));
+        
+        // Load filtered policy again (should clear previous policies)
+        await e.LoadFilteredPolicyAsync(new PolicyFilter(PermConstants.DefaultPolicyType, 0, Policy.ValuesFrom(["bob"])));
+        
+        // alice can no longer read data1 (previous policies cleared)
+        Assert.False(await e.EnforceAsync("alice", "data1", "read"));
+        // bob can write data2 (new filtered policies loaded)
+        Assert.True(await e.EnforceAsync("bob", "data2", "write"));
+    }
+}

Casbin/Abstractions/Persist/BaseAdapter.cs

@@ -221,6 +221,36 @@ public Task LoadFilteredPolicyAsync(IPolicyStore store, Filter filter)
 #endif
     }
 
+    public void LoadIncrementalFilteredPolicy(IPolicyStore store, IPolicyFilter filter)
+    {
+        // ReSharper disable once ConditionIsAlwaysTrueOrFalseAccordingToNullableAPIContract
+        if (filter is null)
+        {
+            LoadPolicy(store);
+            return;
+        }
+
+        IEnumerable<IPersistPolicy> policies = ReadPersistPolicy();
+        policies = filter.Apply(policies.AsQueryable());
+        foreach (IPersistPolicy policy in policies)
+        {
+            int requiredCount = store.GetRequiredValuesCount(policy.Section, policy.Type);
+            IPolicyValues values = Policy.ValuesFrom(policy, requiredCount);
+            store.AddPolicy(policy.Section, policy.Type, values);
+        }
+        IsFiltered = true;
+    }
+
+    public Task LoadIncrementalFilteredPolicyAsync(IPolicyStore store, IPolicyFilter filter)
+    {
+        LoadIncrementalFilteredPolicy(store, filter);
+#if !NET452
+        return Task.CompletedTask;
+#else
+        return Task.FromResult(true);
+#endif
+    }
+
     #endregion
 
     protected IEnumerable<IPersistPolicy> ReadPersistPolicy()

Casbin/Abstractions/Persist/IFilteredAdapter.cs

@@ -10,5 +10,9 @@ public interface IFilteredAdapter
         void LoadFilteredPolicy(IPolicyStore store, IPolicyFilter filter);
 
         Task LoadFilteredPolicyAsync(IPolicyStore store, IPolicyFilter filter);
+
+        void LoadIncrementalFilteredPolicy(IPolicyStore store, IPolicyFilter filter);
+
+        Task LoadIncrementalFilteredPolicyAsync(IPolicyStore store, IPolicyFilter filter);
     }
 }

Casbin/Extensions/Enforcer/EnforcerExtension.cs

@@ -229,6 +229,7 @@ public static bool LoadFilteredPolicy(this IEnforcer enforcer, IPolicyFilter fil
                 return false;
             }
 
+            enforcer.ClearCache();
             if (enforcer.AutoBuildRoleLinks)
             {
                 enforcer.BuildRoleLinks();
@@ -251,6 +252,7 @@ public static async Task<bool> LoadFilteredPolicyAsync(this IEnforcer enforcer,
                 return false;
             }
 
+            enforcer.ClearCache();
             if (enforcer.AutoBuildRoleLinks)
             {
                 enforcer.BuildRoleLinks();
@@ -269,6 +271,52 @@ public static async Task<bool> LoadFilteredPolicyAsync(this IEnforcer enforcer,
         public static Task<bool> LoadFilteredPolicyAsync(this IEnforcer enforcer, Filter filter) =>
             LoadFilteredPolicyAsync(enforcer, filter as IPolicyFilter);
 
+        /// <summary>
+        /// Appends a filtered policy from file/database without clearing the existing policies.
+        /// </summary>
+        /// <param name="enforcer"></param>
+        /// <param name="filter">The filter used to specify which type of policy should be loaded.</param>
+        /// <returns></returns>
+        public static bool LoadIncrementalFilteredPolicy(this IEnforcer enforcer, IPolicyFilter filter)
+        {
+            bool result = enforcer.Model.LoadIncrementalFilteredPolicy(filter);
+            if (result is false)
+            {
+                return false;
+            }
+
+            enforcer.ClearCache();
+            if (enforcer.AutoBuildRoleLinks)
+            {
+                enforcer.BuildRoleLinks();
+            }
+
+            return true;
+        }
+
+        /// <summary>
+        /// Appends a filtered policy from file/database without clearing the existing policies.
+        /// </summary>
+        /// <param name="enforcer"></param>
+        /// <param name="filter">The filter used to specify which type of policy should be loaded.</param>
+        /// <returns></returns>
+        public static async Task<bool> LoadIncrementalFilteredPolicyAsync(this IEnforcer enforcer, IPolicyFilter filter)
+        {
+            bool result = await enforcer.Model.LoadIncrementalFilteredPolicyAsync(filter);
+            if (result is false)
+            {
+                return false;
+            }
+
+            enforcer.ClearCache();
+            if (enforcer.AutoBuildRoleLinks)
+            {
+                enforcer.BuildRoleLinks();
+            }
+
+            return true;
+        }
+
         /// <summary>
         /// Saves the current policy (usually after changed with Casbin API)
         /// back to file/database.

Casbin/Extensions/Model/ModelExtension.cs

@@ -155,6 +155,40 @@ await model.AdapterHolder.FilteredAdapter.LoadFilteredPolicyAsync(policyStore,
             return true;
         }
 
+        public static bool LoadIncrementalFilteredPolicy(this IModel model, IPolicyFilter filter)
+        {
+            if (model.AdapterHolder.Adapter is null)
+            {
+                return false;
+            }
+
+            if (model.AdapterHolder.FilteredAdapter is null)
+            {
+                return false;
+            }
+
+            model.AdapterHolder.FilteredAdapter.LoadIncrementalFilteredPolicy(
+                model.PolicyStoreHolder.PolicyStore, filter);
+            return true;
+        }
+
+        public static async Task<bool> LoadIncrementalFilteredPolicyAsync(this IModel model, IPolicyFilter filter)
+        {
+            if (model.AdapterHolder.Adapter is null)
+            {
+                return false;
+            }
+
+            if (model.AdapterHolder.FilteredAdapter is null)
+            {
+                return false;
+            }
+
+            await model.AdapterHolder.FilteredAdapter.LoadIncrementalFilteredPolicyAsync(
+                model.PolicyStoreHolder.PolicyStore, filter);
+            return true;
+        }
+
         public static bool SavePolicy(this IModel model)
         {
             if (model.AdapterHolder.Adapter is null)