docs: add rebac model examples and tests

D0000M · D0000M · commit b58a56872075 · 2025-07-21T20:30:18.000+08:00
diff --git a/examples/rebac_model.conf b/examples/rebac_model.conf
@@ -0,0 +1,15 @@
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = role, obj_type, act
+
+[role_definition]
+g = _, _, _
+g2 = _, _
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = g(r.sub, r.obj, p.role) && g2(r.obj, p.obj_type) && r.act == p.act
diff --git a/examples/rebac_policy.csv b/examples/rebac_policy.csv
@@ -0,0 +1,7 @@
+p, collaborator, doc, read
+
+g, alice, doc1, collaborator
+g, bob, doc2, collaborator
+
+g2, doc1, doc
+g2, doc2, doc
diff --git a/model_test.go b/model_test.go
@@ -680,3 +680,21 @@ func TestTemporalRolesModelWithDomain(t *testing.T) {
 	testDomainEnforce(t, e, "alice", "domain_not_exist", "data8", "read", false)
 	testDomainEnforce(t, e, "alice", "domain_not_exist", "data8", "write", false)
 }
+
+func TestReBACModel(t *testing.T) {
+	e, _ := NewEnforcer("examples/rebac_model.conf", "examples/rebac_policy.csv")
+
+	testEnforce(t, e, "alice", "doc1", "read", true)
+	testEnforce(t, e, "alice", "doc1", "write", false)
+	testEnforce(t, e, "alice", "doc2", "read", false)
+	testEnforce(t, e, "alice", "doc2", "write", false)
+	testEnforce(t, e, "alice", "doc3", "read", false)
+	testEnforce(t, e, "alice", "doc3", "write", false)
+
+	testEnforce(t, e, "bob", "doc1", "read", false)
+	testEnforce(t, e, "bob", "doc1", "write", false)
+	testEnforce(t, e, "bob", "doc2", "read", true)
+	testEnforce(t, e, "bob", "doc2", "write", false)
+	testEnforce(t, e, "bob", "doc3", "read", false)
+	testEnforce(t, e, "bob", "doc3", "write", false)
+}
