feat: add session manager and update README (#6)
A UCON (Usage Control) extension for Casbin that provides session-based access control with conditions, obligations, and continuous monitoring.
Casbin-UCON extends Casbin with UCON (Usage Control) capabilities, enabling:
go get github.com/casbin/casbin-ucon
It's important to understand how continuous authorization works in Casbin-UCON:
EnforceWithSession(sessionID) performs pre-checks (pre-conditions and pre-obligations) and automatically starts monitoring for ongoing conditions and obligations.
StartMonitoring(sessionID) only starts monitoring without pre-checks.
If a session no longer satisfies the conditions, session.IfActive() will return false, and you can use session.GetStopReason() to determine why the session stopped.
Your application is responsible for handling these notifications and deciding how to terminate the session.
Always call StopMonitoring() to clean up resources when done. Example:
go func() { for { if !session.IfActive() { if session.GetStopReason() == ucon.NormalStopReason { // NormalStopReason means the session was stopped by user code calling StopMonitoring(). break } //TODO //decide how to handle session termination yourself // For example, clean up resources, close connections, write logs, notify the frontend, etc. fmt.Printf("%s %s %s is stopped because: %s\n", session.GetSubject(), session.GetAction(), session.GetObject(),session.GetStopReason()) break } time.Sleep(200 * time.Millisecond) } }()
Casbin-UCON requires standard Casbin configuration files:
For example:
model.conf
[request_definition] r = sub, obj, act [policy_definition] p = sub, obj, act [policy_effect] e = some(where (p.eft == allow)) [matchers] m = r.sub == p.sub && r.obj == p.obj && r.act == p.act
policy.csv
p, alice, document1, read
package main import ( "github.com/casbin/casbin/v2" "github.com/casbin/casbin-ucon" "fmt" "time" ) func main() { // Create standard Casbin enforcer e, _ := casbin.NewEnforcer("model.conf", "policy.csv") // Wrap with UCON functionality uconE := ucon.NewUconEnforcer(e) // Add conditions condition := &ucon.Condition{ ID: "location_condition", Name: "location", Kind: "always", Expr: "office", } uconE.AddCondition(condition) // Add obligations obligation := &ucon.Obligation{ ID: "post_log", Name: "access_logging", Kind: "post", Expr: "log_level:detailed", } uconE.AddObligation(obligation) // Create a session sessionID, _ := uconE.CreateSession("alice", "read", "document1", map[string]interface{}{ "location": "office", "log_level": "detailed", }) // UCON session-based enforcement session, err := uconE.EnforceWithSession(sessionID) if session == nil { // refused fmt.Println("session refused because: ",err ) } go func() { for { if !session.IfActive() { if session.GetStopReason() == ucon.NormalStopReason { break } //TODO //decide how to handle session termination yourself // For example, clean up resources, close connections, write logs, notify the frontend, etc. fmt.Printf("%s %s %s is stopped because: %s\n", session.GetSubject(), session.GetAction(), session.GetObject(),session.GetStopReason()) break } time.Sleep(200 * time.Millisecond) } }() /* alice read document1 //you could change the attribute by: session.UpdateAttribute("location", "home") */ // Stop the session _ = uconE.StopMonitoring(sessionID) }
// Enhanced enforcement EnforceWithSession(sessionID string) (*Session, error) // Session management CreateSession(subject, action, object string, attributes map[string]interface{}) (string, error) GetSession(sessionID string) (*Session, error) UpdateSessionAttribute(sessionID string, key string, val interface{}) error RevokeSession(sessionID string) error // Condition management AddCondition(condition *Condition) error EvaluateConditions(sessionID string) (bool, error) // Obligation management AddObligation(obligation *Obligation) error ExecuteObligations(sessionID string) error ExecuteObligationsByType(sessionID string, phase string) error // Monitoring StartMonitoring(sessionID string) error StopMonitoring(sessionID string) error
Development Status: This project is in an early development stage and features may change frequently.
Current Features:
Enhanced Condition & Obligation Management – Allow more flexible and customizable conditions and obligations.
Improved Session Management – Additional features for session lifecycle and attribute handling.
Advanced Monitoring – Configurable monitoring options for ongoing authorization and obligations.
Comprehensive Documentation & Examples – Expanded guides, usage examples, and best practices.
Apache 2.0 License - see LICENSE for details.