usermodel

package
v0.1.35 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 30, 2026 License: MIT Imports: 4 Imported by: 0

Documentation

Overview

Package usermodel provides user domain models.

Index

Constants

View Source 
const (
	IdentityProviderGitHub = "github"
	IdentityProviderGoogle = "google"
	IdentityProviderLDAP   = "ldap"
	IdentityProviderOIDC   = "oidc"
	IdentityProviderBasic  = "basic"
)

IdentityProvider constants for supported authentication providers.

View Source 
const (
	ActionGet    = "GET"
	ActionList   = "LIST"
	ActionCreate = "CREATE"
	ActionUpdate = "UPDATE"
	ActionDelete = "DELETE"
)

Actions for RBAC permission checks.

View Source 
const (
	ResourceAgent             = "agent"
	ResourceAgentGroup        = "agentgroup"
	ResourceAgentPackage      = "agentpackage"
	ResourceAgentRemoteConfig = "agentremoteconfig"
	ResourceCertificate       = "certificate"
	ResourceRoleBinding       = "rolebinding"
)

Namespace-scoped resource types controlled by RBAC.

View Source 
const (
	ResourceServer     = "server"
	ResourceUser       = "user"
	ResourceRole       = "role"
	ResourcePermission = "permission"
)

Global resource types (not namespace-scoped).

View Source 
const (
	RoleSuperAdmin = "SuperAdmin"
	RoleAdmin      = "Admin"
	RoleViewer     = "Viewer"
)

Built-in role names.

View Source 
const WildcardAll = "*"

WildcardAll represents a wildcard matching all values in RBAC policies.

Variables

This section is empty.

Functions

func AllActions 

func AllActions() []string

AllActions returns all RBAC actions.

func NamespaceScopedResources 

func NamespaceScopedResources() []string

NamespaceScopedResources returns all namespace-scoped resources controlled by RBAC.

func ReadOnlyActions 

func ReadOnlyActions() []string

ReadOnlyActions returns read-only RBAC actions.

Types

type ExternalIdentity 

type ExternalIdentity struct {
	Provider       string
	ProviderUserID string
	Email          string
	DisplayName    string
	AvatarURL      string
	Groups         []string          // org/team memberships from provider (e.g., GitHub orgs)
	RawAttributes  map[string]string // provider-specific metadata
}

ExternalIdentity represents the identity information retrieved from an external provider. It is provider-agnostic and used as the common interface between authentication and RBAC.

type OrgRoleMapping 

type OrgRoleMapping struct {
	Metadata OrgRoleMappingMetadata
	Spec     OrgRoleMappingSpec
}

OrgRoleMapping defines a mapping from an external provider's organization/group to an internal RBAC role. This enables automatic role assignment based on provider group memberships (e.g., GitHub org → Admin role).

func NewOrgRoleMapping 

func NewOrgRoleMapping(provider, organization, team string, roleID uuid.UUID) *OrgRoleMapping

NewOrgRoleMapping creates a new organization-to-role mapping.

func (*OrgRoleMapping) Delete 

func (m *OrgRoleMapping) Delete()

Delete marks the org-role mapping as deleted.

func (*OrgRoleMapping) Matches 

func (m *OrgRoleMapping) Matches(provider, org, team string) bool

Matches returns true if the given provider/org/team matches this mapping.

type OrgRoleMappingMetadata 

type OrgRoleMappingMetadata struct {
	UID       uuid.UUID
	CreatedAt time.Time
	UpdatedAt time.Time
	DeletedAt *time.Time
}

OrgRoleMappingMetadata contains metadata about the org-role mapping.

type OrgRoleMappingSpec 

type OrgRoleMappingSpec struct {
	Provider     string // e.g., "github", "google"
	Organization string // e.g., "my-github-org"
	Team         string // optional: e.g., "platform-team" (empty means entire org)
	RoleID       uuid.UUID
}

OrgRoleMappingSpec defines the mapping specification.

type Permission 

type Permission struct {
	Metadata PermissionMetadata
	Spec     PermissionSpec
	Status   PermissionStatus
}

Permission represents a permission in the system.

func NewPermission 

func NewPermission(resource, action string, isBuiltIn bool) *Permission

NewPermission creates a new permission with the given resource and action.

func (*Permission) Delete 

func (p *Permission) Delete()

Delete marks the permission as deleted.

func (*Permission) IsDeleted 

func (p *Permission) IsDeleted() bool

IsDeleted returns whether the permission is deleted.

func (*Permission) Restore 

func (p *Permission) Restore()

Restore removes the deletion mark from the permission.

type PermissionMetadata 

type PermissionMetadata struct {
	UID       uuid.UUID
	CreatedAt time.Time
	UpdatedAt time.Time
	DeletedAt *time.Time
}

PermissionMetadata contains metadata about the permission.

type PermissionSpec 

type PermissionSpec struct {
	Name        string // e.g., "agent:read", "agent:write"
	Description string
	Resource    string // e.g., "agent", "agentgroup", "certificate"
	Action      string // e.g., "read", "write", "delete", "execute"
	IsBuiltIn   bool
}

PermissionSpec defines the permission details.

type PermissionStatus 

type PermissionStatus struct {
	Conditions []model.Condition
}

PermissionStatus represents the current state of the permission.

type RBACPolicy 

type RBACPolicy struct {
	Metadata RBACPolicyMetadata
	Spec     RBACPolicySpec
	Status   RBACPolicyStatus
}

RBACPolicy represents RBAC policy rules stored in the system. This model is used to persist Casbin policy rules to MongoDB.

func NewRBACPolicy 

func NewRBACPolicy(policyType string, rules [][]string) *RBACPolicy

NewRBACPolicy creates a new RBAC policy.

func (*RBACPolicy) AddRule 

func (p *RBACPolicy) AddRule(rule []string)

AddRule adds a rule to the policy.

func (*RBACPolicy) Delete 

func (p *RBACPolicy) Delete()

Delete marks the RBAC policy as deleted.

func (*RBACPolicy) IsDeleted 

func (p *RBACPolicy) IsDeleted() bool

IsDeleted returns whether the RBAC policy is deleted.

func (*RBACPolicy) RemoveRule 

func (p *RBACPolicy) RemoveRule(rule []string)

RemoveRule removes a rule from the policy.

func (*RBACPolicy) Restore 

func (p *RBACPolicy) Restore()

Restore removes the deletion mark from the RBAC policy.

func (*RBACPolicy) UpdateSyncTime 

func (p *RBACPolicy) UpdateSyncTime()

UpdateSyncTime updates the last sync time to now.

type RBACPolicyMetadata 

type RBACPolicyMetadata struct {
	UID       uuid.UUID
	CreatedAt time.Time
	UpdatedAt time.Time
	DeletedAt *time.Time
}

RBACPolicyMetadata contains metadata about the RBAC policy.

type RBACPolicySpec 

type RBACPolicySpec struct {
	PolicyType string     // "p" (policy) or "g" (grouping/role inheritance)
	Rules      [][]string // Casbin policy rules, e.g., []{"admin", "agent", "write"}
}

RBACPolicySpec defines the RBAC policy rules.

type RBACPolicyStatus 

type RBACPolicyStatus struct {
	Conditions   []model.Condition
	LastSyncedAt time.Time
}

RBACPolicyStatus represents the current state of the RBAC policy.

type Role 

type Role struct {
	Metadata RoleMetadata
	Spec     RoleSpec
	Status   RoleStatus
}

Role represents a role that can be assigned to users.

func NewRole 

func NewRole(displayName string, isBuiltIn bool) *Role

NewRole creates a new role with the given display name.

func (*Role) AddPermission 

func (r *Role) AddPermission(permissionID string)

AddPermission adds a permission to the role.

func (*Role) Delete 

func (r *Role) Delete()

Delete marks the role as deleted.

func (*Role) HasPermission 

func (r *Role) HasPermission(permissionID string) bool

HasPermission checks if the role has a permission.

func (*Role) IsDeleted 

func (r *Role) IsDeleted() bool

IsDeleted returns whether the role is deleted.

func (*Role) RemovePermission 

func (r *Role) RemovePermission(permissionID string)

RemovePermission removes a permission from the role.

func (*Role) Restore 

func (r *Role) Restore()

Restore removes the deletion mark from the role.

type RoleBinding 

type RoleBinding struct {
	Metadata RoleBindingMetadata
	Spec     RoleBindingSpec
	Status   RoleBindingStatus
}

RoleBinding represents a binding of a role to a user within a namespace.

func NewRoleBinding 

func NewRoleBinding(namespace, name string, roleRef RoleRef, subject Subject) *RoleBinding

NewRoleBinding creates a new RoleBinding instance.

func (*RoleBinding) IsDeleted 

func (rb *RoleBinding) IsDeleted() bool

IsDeleted returns whether the role binding is soft-deleted.

func (*RoleBinding) MarkDeleted 

func (rb *RoleBinding) MarkDeleted()

MarkDeleted marks the role binding as deleted.

func (*RoleBinding) SetUpdatedAt 

func (rb *RoleBinding) SetUpdatedAt(t time.Time)

SetUpdatedAt sets the updatedAt timestamp.

type RoleBindingMetadata 

type RoleBindingMetadata struct {
	Namespace string
	Name      string
	CreatedAt time.Time
	UpdatedAt time.Time
	DeletedAt *time.Time
}

RoleBindingMetadata contains metadata about the role binding.

type RoleBindingSpec 

type RoleBindingSpec struct {
	RoleRef RoleRef
	Subject Subject
}

RoleBindingSpec defines the role binding details.

type RoleBindingStatus 

type RoleBindingStatus struct {
	Conditions []model.Condition
}

RoleBindingStatus represents the current state of the role binding.

type RoleMetadata 

type RoleMetadata struct {
	UID       uuid.UUID
	CreatedAt time.Time
	UpdatedAt time.Time
	DeletedAt *time.Time
}

RoleMetadata contains metadata about the role.

type RoleRef 

type RoleRef struct {
	Kind string
	Name string
	UID  uuid.UUID
}

RoleRef references a role.

type RoleSpec 

type RoleSpec struct {
	DisplayName string
	Description string
	Permissions []string // Permission names (e.g., "agent:read")
	IsBuiltIn   bool
}

RoleSpec defines the desired state of the role.

type RoleStatus 

type RoleStatus struct {
	Conditions []model.Condition
}

RoleStatus represents the current state of the role.

type Subject 

type Subject struct {
	Kind string
	Name string
	UID  uuid.UUID
}

Subject identifies a user.

type User 

type User struct {
	Metadata UserMetadata
	Spec     UserSpec
	Status   UserStatus
}

User represents an authenticated user in the system. A user can be linked to multiple identity providers (GitHub, Google, LDAP, etc.).

func NewUser 

func NewUser(email, username string) *User

NewUser creates a new user with the given email and username.

func NewUserWithIdentity 

func NewUserWithIdentity(provider, providerUserID, email, displayName string) *User

NewUserWithIdentity creates a new user linked to an external identity provider.

func (*User) AddIdentity 

func (u *User) AddIdentity(identity UserIdentity)

AddIdentity links an additional identity provider to this user. If an identity with the same provider already exists, it is updated.

func (*User) Delete 

func (u *User) Delete()

Delete marks the user as deleted.

func (*User) GetIdentity 

func (u *User) GetIdentity(provider string) *UserIdentity

GetIdentity returns the identity for the given provider, if it exists.

func (*User) HasIdentity 

func (u *User) HasIdentity(provider string) bool

HasIdentity checks if the user has an identity from the given provider.

func (*User) IsDeleted 

func (u *User) IsDeleted() bool

IsDeleted returns whether the user is deleted.

func (*User) RemoveIdentity 

func (u *User) RemoveIdentity(provider, providerUserID string)

RemoveIdentity removes an identity provider link from this user.

func (*User) Restore 

func (u *User) Restore()

Restore removes the deletion mark from the user.

type UserIdentity 

type UserIdentity struct {
	Provider       string // e.g., "github", "google", "ldap", "basic"
	ProviderUserID string // unique ID from the external provider
	Email          string // email from this provider (may differ per provider)
	DisplayName    string // display name from this provider
}

UserIdentity represents a linked external identity provider account. A single user can have multiple identities (e.g., GitHub + Google).

type UserMetadata 

type UserMetadata struct {
	UID       uuid.UUID
	CreatedAt time.Time
	UpdatedAt time.Time
	DeletedAt *time.Time
}

UserMetadata contains metadata about the user.

type UserRole 

type UserRole struct {
	Metadata UserRoleMetadata
	Spec     UserRoleSpec
	Status   UserRoleStatus
}

UserRole represents the assignment of a role to a user.

func NewUserRole 

func NewUserRole(userID, roleID, assignedBy uuid.UUID, namespace string) *UserRole

NewUserRole creates a new user role assignment scoped to a namespace. Use "*" as namespace for a cluster-wide (all namespaces) assignment.

func (*UserRole) Delete 

func (ur *UserRole) Delete()

Delete marks the user role assignment as deleted.

func (*UserRole) IsDeleted 

func (ur *UserRole) IsDeleted() bool

IsDeleted returns whether the user role assignment is deleted.

func (*UserRole) Restore 

func (ur *UserRole) Restore()

Restore removes the deletion mark from the user role assignment.

type UserRoleMetadata 

type UserRoleMetadata struct {
	UID       uuid.UUID
	CreatedAt time.Time
	UpdatedAt time.Time
	DeletedAt *time.Time
}

UserRoleMetadata contains metadata about the user role assignment.

type UserRoleSpec 

type UserRoleSpec struct {
	UserID     uuid.UUID
	RoleID     uuid.UUID
	Namespace  string // Namespace scope. "*" = all namespaces, otherwise a specific namespace name.
	AssignedAt time.Time
	AssignedBy uuid.UUID // User who assigned the role
}

UserRoleSpec defines the user role assignment details.

type UserRoleStatus 

type UserRoleStatus struct {
	Conditions []model.Condition
}

UserRoleStatus represents the current state of the user role assignment.

type UserSpec 

type UserSpec struct {
	Email      string
	Username   string
	IsActive   bool
	Identities []UserIdentity
}

UserSpec defines the desired state of the user.

type UserStatus 

type UserStatus struct {
	Conditions []model.Condition
	Roles      []string // Role IDs
}

UserStatus represents the current state of the user.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.