The latest articles on DEV Community by greenhandatsjtu (@greenhandatsjtu). https://dev.to/greenhandatsjtu https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F447679%2Ffd05b53d-7fcd-4842-908a-902b60c8a5fb.png https://dev.to/greenhandatsjtu en greenhandatsjtu Sun, 24 Jul 2022 05:07:00 +0000 https://dev.to/greenhandatsjtu/a-tutorial-on-how-to-integrate-casbin-with-poem-web-services-4hje https://dev.to/greenhandatsjtu/a-tutorial-on-how-to-integrate-casbin-with-poem-web-services-4hje <h2> Introduction </h2> <p><a href="https://github.com/casbin/casbin-rs" rel="noopener noreferrer">Casbin-rs</a> is an authorization library that supports access control models like ACL, RBAC, ABAC written in Rust.</p> <p><a href="https://github.com/poem-web/poem" rel="noopener noreferrer">Poem</a> is a full-featured and easy-to-use web framework with the Rust programming language.</p> <p>In this tutorial, we will integrate casbin-rs with poem web services using <a href="https://github.com/casbin-rs/poem-casbin" rel="noopener noreferrer">poem-casbin</a> middleware.<br> </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev.to%2Fassets%2Fgithub-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/casbin-rs" rel="noopener noreferrer"> casbin-rs </a> / <a href="https://github.com/casbin-rs/poem-casbin" rel="noopener noreferrer"> poem-casbin </a> </h2> <h3> Casbin Poem access control middleware </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">Poem Casbin Middleware</h1> </div> <p><a href="https://github.com/casbin/casbin-rs" rel="noopener noreferrer">Casbin</a> access control middleware for <a href="https://github.com/poem-web/poem" rel="noopener noreferrer">poem</a> framework</p> <div class="markdown-heading"> <h2 class="heading-element">Install</h2> </div> <p>Add it to <code>Cargo.toml</code></p> <div class="highlight highlight-source-toml notranslate position-relative overflow-auto js-code-highlight"> <pre><span class="pl-smi">poem</span> = <span class="pl-s"><span class="pl-pds">"</span>1.3.31<span class="pl-pds">"</span></span> <span class="pl-smi">poem-casbin-auth</span> = <span class="pl-s"><span class="pl-pds">"</span>0.x.x<span class="pl-pds">"</span></span> <span class="pl-smi">tokio</span> = { <span class="pl-smi">version</span> = <span class="pl-s"><span class="pl-pds">"</span>1.17.0<span class="pl-pds">"</span></span>, <span class="pl-smi">features</span> = [<span class="pl-s"><span class="pl-pds">"</span>rt-multi-thread<span class="pl-pds">"</span></span>, <span class="pl-s"><span class="pl-pds">"</span>macros<span class="pl-pds">"</span></span>] }</pre> </div> <div class="markdown-heading"> <h2 class="heading-element">Requirement</h2> </div> <p><strong>Casbin only takes charge of permission control</strong>, so you need to implement an <code>Authentication Middleware</code> to identify user.</p> <p>You should put <code>poem_casbin_auth::CasbinVals</code> which contains <code>subject</code>(username) and <code>domain</code>(optional) into <a href="https://docs.rs/http/0.2.8/http/struct.Extensions.html" rel="nofollow noopener noreferrer">Extension</a>.</p> <p>For example:</p> <div class="highlight highlight-source-rust notranslate position-relative overflow-auto js-code-highlight"> <pre><span class="pl-k">use</span> poem<span class="pl-kos">::</span><span class="pl-kos">{</span> <span class="pl-v">Endpoint</span><span class="pl-kos">,</span> <span class="pl-v">EndpointExt</span><span class="pl-kos">,</span> <span class="pl-v">Middleware</span><span class="pl-kos">,</span> <span class="pl-v">Request</span><span class="pl-kos">,</span> <span class="pl-v">Result</span><span class="pl-kos">,</span> <span class="pl-kos">}</span><span class="pl-kos">;</span> <span class="pl-k">use</span> poem_casbin_auth<span class="pl-kos">::</span><span class="pl-v">CasbinVals</span><span class="pl-kos">;</span> <span class="pl-k">pub</span> <span class="pl-k">struct</span> <span class="pl-smi">FakeAuth</span><span class="pl-kos">;</span> <span class="pl-k">pub</span> <span class="pl-k">struct</span> <span class="pl-smi">FakeAuthMiddleware</span><span class="pl-kos">&lt;</span><span class="pl-smi">E</span><span class="pl-kos">&gt;</span> <span class="pl-kos">{</span> <span class="pl-c1">ep</span><span class="pl-kos">:</span> <span class="pl-smi">E</span><span class="pl-kos">,</span> <span class="pl-kos">}</span> <span class="pl-k">impl</span><span class="pl-kos">&lt;</span><span class="pl-smi">E</span><span class="pl-kos">:</span> <span class="pl-smi">Endpoint</span><span class="pl-kos">&gt;</span> <span class="pl-smi">Middleware</span><span class="pl-kos">&lt;</span><span class="pl-smi">E</span><span class="pl-kos">&gt;</span> <span class="pl-k">for</span> <span class="pl-smi">FakeAuth</span> <span class="pl-kos">{</span> <span class="pl-k">type</span> <span class="pl-smi">Output</span> = <span class="pl-smi">FakeAuthMiddleware</span><span class="pl-kos">&lt;</span><span class="pl-smi">E</span><span class="pl-kos">&gt;</span><span class="pl-kos">;</span> <span class="pl-k">fn</span> <span class="pl-en">transform</span><span class="pl-kos">(</span><span class="pl-c1">&amp;</span><span class="pl-smi">self</span><span class="pl-kos">,</span> <span class="pl-s1">ep</span><span class="pl-kos">:</span> <span class="pl-smi">E</span><span class="pl-kos">)</span></pre>… </div> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/casbin-rs/poem-casbin" rel="noopener noreferrer">View on GitHub</a></div> </div> <h2> Write a hello-world service with poem </h2> <p>First, create a cargo crate, then add following dependencies in <code>Cargo.toml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="py">tokio</span> <span class="o">=</span> <span class="p">{</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"1.20.0"</span><span class="p">,</span> <span class="py">features</span> <span class="p">=</span> <span class="p">[</span><span class="s">"rt-multi-thread"</span><span class="p">,</span> <span class="s">"macros"</span><span class="p">]</span> <span class="p">}</span> <span class="py">poem</span> <span class="p">=</span> <span class="s">"1.3.35"</span> </code></pre> </div> <p>Add following code to <code>main.rs</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">poem</span><span class="p">::{</span><span class="n">get</span><span class="p">,</span> <span class="n">handler</span><span class="p">,</span> <span class="nn">listener</span><span class="p">::</span><span class="n">TcpListener</span><span class="p">,</span> <span class="nn">web</span><span class="p">::</span><span class="n">Path</span><span class="p">,</span> <span class="n">Route</span><span class="p">,</span> <span class="n">Server</span><span class="p">};</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="n">env</span><span class="p">;</span> <span class="nd">#[handler]</span> <span class="k">fn</span> <span class="nf">pen1</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">String</span> <span class="p">{</span> <span class="nn">String</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="s">"I'm pen 1"</span><span class="p">)</span> <span class="p">}</span> <span class="nd">#[handler]</span> <span class="k">fn</span> <span class="nf">pen2</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">String</span> <span class="p">{</span> <span class="nn">String</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="s">"I'm pen 2"</span><span class="p">)</span> <span class="p">}</span> <span class="nd">#[handler]</span> <span class="k">fn</span> <span class="nf">book</span><span class="p">(</span><span class="nf">Path</span><span class="p">(</span><span class="n">id</span><span class="p">):</span> <span class="n">Path</span><span class="o">&lt;</span><span class="nb">String</span><span class="o">&gt;</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">String</span> <span class="p">{</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"I'm book {}"</span><span class="p">,</span> <span class="n">id</span><span class="p">)</span> <span class="p">}</span> <span class="nd">#[tokio::main]</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nn">std</span><span class="p">::</span><span class="nn">io</span><span class="p">::</span><span class="n">Error</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="nn">env</span><span class="p">::</span><span class="nf">var_os</span><span class="p">(</span><span class="s">"RUST_LOG"</span><span class="p">)</span><span class="nf">.is_none</span><span class="p">()</span> <span class="p">{</span> <span class="nn">env</span><span class="p">::</span><span class="nf">set_var</span><span class="p">(</span><span class="s">"RUST_LOG"</span><span class="p">,</span> <span class="s">"poem=debug"</span><span class="p">);</span> <span class="p">}</span> <span class="k">let</span> <span class="n">app</span> <span class="o">=</span> <span class="nn">Route</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span> <span class="nf">.at</span><span class="p">(</span><span class="s">"/pen/1"</span><span class="p">,</span> <span class="nf">get</span><span class="p">(</span><span class="n">pen1</span><span class="p">))</span> <span class="nf">.at</span><span class="p">(</span><span class="s">"/pen/2"</span><span class="p">,</span> <span class="nf">get</span><span class="p">(</span><span class="n">pen2</span><span class="p">))</span> <span class="nf">.at</span><span class="p">(</span><span class="s">"/book/:id"</span><span class="p">,</span> <span class="nf">get</span><span class="p">(</span><span class="n">book</span><span class="p">));</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">TcpListener</span><span class="p">::</span><span class="nf">bind</span><span class="p">(</span><span class="s">"127.0.0.1:3000"</span><span class="p">))</span> <span class="nf">.name</span><span class="p">(</span><span class="s">"poem-casbin-demo"</span><span class="p">)</span> <span class="nf">.run</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="k">.await</span> <span class="p">}</span> </code></pre> </div> <p>There are 3 endpoints, <code>/pen/1</code>, <code>/pen/2</code>, and <code>/book/:id</code>. It’s quite simple, right? Let’s run our service, enter <code>cargo run</code> and our service will be available at <code>127.0.0.1:3000</code>.</p> <p>Let’s use <code>curl</code> to test our service:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fou037k82po7e4noks6ef.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fou037k82po7e4noks6ef.png" alt="Send requests to poem endpoints"></a></p> <h2> Integrate with basic auth middleware </h2> <p>Note that casbin-poem is an authorization middleware, not an authentication middleware. Casbin only takes charge of permission control, so we need to implement an authentication middleware to identify user.</p> <p>In this part, we will integrate a basic auth middleware with our service.</p> <p>To start with, add following dependency to <code>Cargo.toml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="py">poem-casbin-auth</span> <span class="o">=</span> <span class="p">{</span> <span class="py">git</span> <span class="p">=</span> <span class="s">"https://github.com/casbin-rs/poem-casbin.git"</span> <span class="p">}</span> </code></pre> </div> <p>Then create a file named <code>auth.rs</code> and add following code to it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">poem</span><span class="p">::{</span> <span class="nn">http</span><span class="p">::</span><span class="n">StatusCode</span><span class="p">,</span> <span class="nn">web</span><span class="p">::{</span> <span class="n">headers</span><span class="p">,</span> <span class="nn">headers</span><span class="p">::{</span><span class="nn">authorization</span><span class="p">::</span><span class="n">Basic</span><span class="p">,</span> <span class="n">HeaderMapExt</span><span class="p">},</span> <span class="p">},</span> <span class="n">Endpoint</span><span class="p">,</span> <span class="n">Error</span><span class="p">,</span> <span class="n">Middleware</span><span class="p">,</span> <span class="n">Request</span><span class="p">,</span> <span class="nb">Result</span><span class="p">,</span> <span class="p">};</span> <span class="k">use</span> <span class="nn">poem_casbin_auth</span><span class="p">::</span><span class="n">CasbinVals</span><span class="p">;</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">BasicAuth</span><span class="p">;</span> <span class="k">impl</span><span class="o">&lt;</span><span class="n">E</span><span class="p">:</span> <span class="n">Endpoint</span><span class="o">&gt;</span> <span class="n">Middleware</span><span class="o">&lt;</span><span class="n">E</span><span class="o">&gt;</span> <span class="k">for</span> <span class="n">BasicAuth</span> <span class="p">{</span> <span class="k">type</span> <span class="n">Output</span> <span class="o">=</span> <span class="n">BasicAuthEndpoint</span><span class="o">&lt;</span><span class="n">E</span><span class="o">&gt;</span><span class="p">;</span> <span class="k">fn</span> <span class="nf">transform</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">ep</span><span class="p">:</span> <span class="n">E</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="n">Output</span> <span class="p">{</span> <span class="n">BasicAuthEndpoint</span> <span class="p">{</span> <span class="n">ep</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">BasicAuthEndpoint</span><span class="o">&lt;</span><span class="n">E</span><span class="o">&gt;</span> <span class="p">{</span> <span class="n">ep</span><span class="p">:</span> <span class="n">E</span><span class="p">,</span> <span class="p">}</span> <span class="nd">#[poem::async_trait]</span> <span class="k">impl</span><span class="o">&lt;</span><span class="n">E</span><span class="p">:</span> <span class="n">Endpoint</span><span class="o">&gt;</span> <span class="n">Endpoint</span> <span class="k">for</span> <span class="n">BasicAuthEndpoint</span><span class="o">&lt;</span><span class="n">E</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">type</span> <span class="n">Output</span> <span class="o">=</span> <span class="nn">E</span><span class="p">::</span><span class="n">Output</span><span class="p">;</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">call</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="k">mut</span> <span class="n">req</span><span class="p">:</span> <span class="n">Request</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="k">Self</span><span class="p">::</span><span class="n">Output</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">auth</span><span class="p">)</span> <span class="o">=</span> <span class="n">req</span><span class="nf">.headers</span><span class="p">()</span><span class="py">.typed_get</span><span class="p">::</span><span class="o">&lt;</span><span class="nn">headers</span><span class="p">::</span><span class="n">Authorization</span><span class="o">&lt;</span><span class="n">Basic</span><span class="o">&gt;&gt;</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">vals</span> <span class="o">=</span> <span class="n">CasbinVals</span> <span class="p">{</span> <span class="n">subject</span><span class="p">:</span> <span class="nn">String</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="n">auth</span><span class="nf">.username</span><span class="p">()),</span> <span class="n">domain</span><span class="p">:</span> <span class="nb">None</span><span class="p">,</span> <span class="p">};</span> <span class="n">req</span><span class="nf">.extensions_mut</span><span class="p">()</span><span class="nf">.insert</span><span class="p">(</span><span class="n">vals</span><span class="p">);</span> <span class="k">self</span><span class="py">.ep</span><span class="nf">.call</span><span class="p">(</span><span class="n">req</span><span class="p">)</span><span class="k">.await</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">Error</span><span class="p">::</span><span class="nf">from_status</span><span class="p">(</span><span class="nn">StatusCode</span><span class="p">::</span><span class="n">UNAUTHORIZED</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>In this mod, we implement a basic auth middleware, for simplicity, here we don’t verify username and password, instead we just insert <code>CasbinVals</code> with provided username into <code>Extension</code>, so that poem-casbin middleware can extract identity information. If the request doesn’t have basic auth, then the middleware will return 401 Unauthorized.</p> <p>Then let’s integrate this basic auth middleware with our service. Firstly, add following code to <code>main.rs</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">mod</span> <span class="n">auth</span><span class="p">;</span> <span class="k">use</span> <span class="nn">poem_casbin_auth</span><span class="p">::</span><span class="n">CasbinVals</span><span class="p">;</span> </code></pre> </div> <p>Then add a new handler to confirm that our auth middleware insert identity information correctly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="nd">#[handler]</span> <span class="k">fn</span> <span class="nf">user</span><span class="p">(</span><span class="n">data</span><span class="p">:</span> <span class="n">Data</span><span class="o">&lt;&amp;</span><span class="n">CasbinVals</span><span class="o">&gt;</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">String</span> <span class="p">{</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Hello, {}"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">data</span><span class="py">.subject</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Lastly, rewrite <code>main</code> function to add an endpoint <code>/user</code> and wrap all endpoints with basic auth middleware, now it looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">app</span> <span class="o">=</span> <span class="nn">Route</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span> <span class="nf">.at</span><span class="p">(</span><span class="s">"/pen/1"</span><span class="p">,</span> <span class="nf">get</span><span class="p">(</span><span class="n">pen1</span><span class="p">))</span> <span class="nf">.at</span><span class="p">(</span><span class="s">"/pen/2"</span><span class="p">,</span> <span class="nf">get</span><span class="p">(</span><span class="n">pen2</span><span class="p">))</span> <span class="nf">.at</span><span class="p">(</span><span class="s">"/book/:id"</span><span class="p">,</span> <span class="nf">get</span><span class="p">(</span><span class="n">book</span><span class="p">))</span> <span class="nf">.at</span><span class="p">(</span><span class="s">"/user"</span><span class="p">,</span> <span class="nf">get</span><span class="p">(</span><span class="n">user</span><span class="p">))</span> <span class="nf">.with</span><span class="p">(</span><span class="n">casbin_middleware</span><span class="p">)</span> <span class="nf">.with</span><span class="p">(</span><span class="nn">auth</span><span class="p">::</span><span class="n">BasicAuth</span><span class="p">);</span> </code></pre> </div> <p>Now, let’s use <code>curl</code> again to test our service.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6ut5bs8t9o9q8hk16nwr.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6ut5bs8t9o9q8hk16nwr.png" alt="Get 401 Unauthorized response"></a></p> <p>Now as you can see, if we don’t provide basic auth when accessing our service, we will get 401 Unauthorized. Our request is aborted by basic auth middleware. Let’s send requests with basic auth:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-u</span> alice:123 localhost:3000/book/1 </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu6ytj5016ov928jex2pa.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu6ytj5016ov928jex2pa.png" alt="Send requests with basic auth"></a></p> <p>Now we can get response as normal. It seems that our basic auth middleware works well.</p> <h2> Integrate with poem-casbin middleware </h2> <p>In the last part, we will integrate poem-casbin middleware with our service.</p> <p>First, we need to provide conf and policy files under the project root directory.</p> <p><code>rbac_with_pattern_model.conf</code> looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[request_definition] r = sub, obj, act [policy_definition] p = sub, obj, act [role_definition] g = _, _ g2 = _, _ [policy_effect] e = some(where (p.eft == allow)) [matchers] m = g(r.sub, p.sub) &amp;&amp; g2(r.obj, p.obj) &amp;&amp; regexMatch(r.act, p.act) </code></pre> </div> <p><code>rbac_with_pattern_policy.csv</code> looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>p, alice, /pen/1, GET p, book_admin, book_group, GET p, pen_admin, pen_group, GET ,,, g, alice, book_admin, g, bob, pen_admin, g2, /book/:id, book_group, g2, /pen/:id, pen_group, </code></pre> </div> <p>These policy means:</p> <ul> <li>For alice: <ul> <li>can access <code>/pen/1</code> </li> <li>is <code>book_admin</code>, thus can access <code>/book/:id</code> </li> </ul> </li> <li>For bob: <ul> <li>is <code>pen_admin</code>, thus can access <code>/pen/:id</code> </li> </ul> </li> </ul> <p>Now let’s focus on <code>main.rs</code>, first add following code to it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">poem_casbin_auth</span><span class="p">::</span><span class="nn">casbin</span><span class="p">::</span><span class="nn">function_map</span><span class="p">::</span><span class="n">key_match2</span><span class="p">;</span> <span class="k">use</span> <span class="nn">poem_casbin_auth</span><span class="p">::</span><span class="nn">casbin</span><span class="p">::{</span><span class="n">CoreApi</span><span class="p">,</span> <span class="n">DefaultModel</span><span class="p">,</span> <span class="n">FileAdapter</span><span class="p">};</span> <span class="k">use</span> <span class="nn">poem_casbin_auth</span><span class="p">::{</span><span class="n">CasbinService</span><span class="p">,</span> <span class="n">CasbinVals</span><span class="p">};</span> </code></pre> </div> <p>Then rewrite <code>main</code> function to wrap our service with poem-casbin middleware:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">m</span> <span class="o">=</span> <span class="nn">DefaultModel</span><span class="p">::</span><span class="nf">from_file</span><span class="p">(</span><span class="s">"rbac_with_pattern_model.conf"</span><span class="p">)</span> <span class="k">.await</span> <span class="nf">.unwrap</span><span class="p">();</span> <span class="k">let</span> <span class="n">a</span> <span class="o">=</span> <span class="nn">FileAdapter</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="s">"rbac_with_pattern_policy.csv"</span><span class="p">);</span> <span class="k">let</span> <span class="n">casbin_middleware</span> <span class="o">=</span> <span class="nn">CasbinService</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="n">m</span><span class="p">,</span> <span class="n">a</span><span class="p">)</span><span class="k">.await</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="n">casbin_middleware</span> <span class="nf">.write</span><span class="p">()</span> <span class="k">.await</span> <span class="nf">.get_role_manager</span><span class="p">()</span> <span class="nf">.write</span><span class="p">()</span> <span class="nf">.matching_fn</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">key_match2</span><span class="p">),</span> <span class="nb">None</span><span class="p">);</span> <span class="k">let</span> <span class="n">app</span> <span class="o">=</span> <span class="nn">Route</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span> <span class="nf">.at</span><span class="p">(</span><span class="s">"/pen/1"</span><span class="p">,</span> <span class="nf">get</span><span class="p">(</span><span class="n">pen1</span><span class="p">))</span> <span class="nf">.at</span><span class="p">(</span><span class="s">"/pen/2"</span><span class="p">,</span> <span class="nf">get</span><span class="p">(</span><span class="n">pen2</span><span class="p">))</span> <span class="nf">.at</span><span class="p">(</span><span class="s">"/book/:id"</span><span class="p">,</span> <span class="nf">get</span><span class="p">(</span><span class="n">book</span><span class="p">))</span> <span class="nf">.at</span><span class="p">(</span><span class="s">"/user"</span><span class="p">,</span> <span class="nf">get</span><span class="p">(</span><span class="n">user</span><span class="p">))</span> <span class="nf">.with</span><span class="p">(</span><span class="n">casbin_middleware</span><span class="p">)</span> <span class="nf">.with</span><span class="p">(</span><span class="nn">auth</span><span class="p">::</span><span class="n">BasicAuth</span><span class="p">);</span> </code></pre> </div> <p>Here we first read conf and policy, then create <code>casbin_middleware</code> and change <code>matching_fn</code> to <code>key_match</code> to match wildcard path (like <code>/:id</code>). Lastly, we wrap all endpoints with <code>casbin_middleware</code>.</p> <p>That’s all the work we have to do to integrate poem-casbin middleware with our service, quite simple, right?</p> <p>Again, let’s use <code>curl</code> to test our service:</p> <p>If alice wants to access <code>/pen/2</code>, she will get 403 Forbidden, because she is not allowed to access this endpoint.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F57850ft8fpzbvrlo7r8q.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F57850ft8fpzbvrlo7r8q.png" alt="Alice can't access /pen/2"></a></p> <p>Likewise, bob can’t access <code>/book/2</code>:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fut9rfj2t2rwe7pdbabcd.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fut9rfj2t2rwe7pdbabcd.png" alt="Bob can't access /book/2"></a></p> <p>Everything is fine when both users send requests to the endpoints that they can access:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fchstfwaqe4d52ozqnnxl.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fchstfwaqe4d52ozqnnxl.png" alt="Send requests to accessible endpoints"></a></p> <h2> Summary </h2> <p>In this tutorial, we write a hello-world web service using poem, then integrate a basic auth and casbin-poem middleware into it. It’s a quite simple project with only ~100 LOC, its code can be found at this repository: <br> </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev.to%2Fassets%2Fgithub-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/greenhandatsjtu" rel="noopener noreferrer"> greenhandatsjtu </a> / <a href="https://github.com/greenhandatsjtu/poem-casbin-demo" rel="noopener noreferrer"> poem-casbin-demo </a> </h2> <h3> Demo to integrate casbin-rs with poem web services using poem-casbin middleware </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">poem-casbin-demo</h1> </div> <p>Demo to integrate casbin-rs with poem web services using poem-casbin middleware</p> <div class="markdown-heading"> <h2 class="heading-element">Introduction</h2> </div> <p><a href="https://github.com/casbin/casbin-rs" rel="noopener noreferrer">Casbin-rs</a> is an authorization library that supports access control models like ACL, RBAC, ABAC written in Rust.</p> <p><a href="https://github.com/poem-web/poem" rel="noopener noreferrer">Poem</a> is a full-featured and easy-to-use web framework with the Rust programming language.</p> <p>In this tutorial, we will integrate casbin-rs with poem web services using <a href="https://github.com/casbin-rs/poem-casbin" rel="noopener noreferrer">poem-casbin</a> middleware.</p> <div class="markdown-heading"> <h2 class="heading-element">Write a hello-world service with poem</h2> </div> <p>First, create a cargo crate, then add following dependencies in <code>Cargo.toml</code>:</p> <div class="highlight highlight-source-toml notranslate position-relative overflow-auto js-code-highlight"> <pre><span class="pl-smi">tokio</span> = { <span class="pl-smi">version</span> = <span class="pl-s"><span class="pl-pds">"</span>1.20.0<span class="pl-pds">"</span></span>, <span class="pl-smi">features</span> = [<span class="pl-s"><span class="pl-pds">"</span>rt-multi-thread<span class="pl-pds">"</span></span>, <span class="pl-s"><span class="pl-pds">"</span>macros<span class="pl-pds">"</span></span>] } <span class="pl-smi">poem</span> = <span class="pl-s"><span class="pl-pds">"</span>1.3.35<span class="pl-pds">"</span></span></pre> </div> <p>Add following code to <code>main.rs</code></p> <div class="highlight highlight-source-rust notranslate position-relative overflow-auto js-code-highlight"> <pre><span class="pl-k">use</span> poem<span class="pl-kos">::</span><span class="pl-kos">{</span>get<span class="pl-kos">,</span> handler<span class="pl-kos">,</span> listener<span class="pl-kos">::</span><span class="pl-v">TcpListener</span><span class="pl-kos">,</span> web<span class="pl-kos">::</span><span class="pl-v">Path</span><span class="pl-kos">,</span> <span class="pl-v">Route</span><span class="pl-kos">,</span> <span class="pl-v">Server</span><span class="pl-kos">}</span><span class="pl-kos">;</span> <span class="pl-k">use</span> std<span class="pl-kos">::</span>env<span class="pl-kos">;</span> <span class="pl-c1">#<span class="pl-kos">[</span>handler<span class="pl-kos">]</span></span> <span class="pl-k">fn</span> <span class="pl-en">pen1</span><span class="pl-kos">(</span><span class="pl-kos">)</span> -&gt; <span class="pl-smi">String</span> <span class="pl-kos">{</span> <span class="pl-smi">String</span><span class="pl-kos">::</span><span class="pl-en">from</span><span class="pl-kos">(</span><span class="pl-s">"I'm pen 1"</span></pre>… </div> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/greenhandatsjtu/poem-casbin-demo" rel="noopener noreferrer">View on GitHub</a></div> </div> rust opensource webdev gsoc