accesscontrol

package
v0.1.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 9, 2026 License: GPL-3.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

View Source 
const MaxMatchAssetGroups = 5

MaxMatchAssetGroups is the maximum number of asset groups per asset_group_match rule.

View Source 
const MaxMatchTags = 10

MaxMatchTags is the maximum number of tags per tag_match rule.

View Source 
const MaxScopeRulesPerGroup = 20

MaxScopeRulesPerGroup is the maximum number of scope rules per group.

Variables

View Source 
var (
	// Asset ownership errors
	ErrAssetOwnerNotFound   = fmt.Errorf("%w: asset owner not found", shared.ErrNotFound)
	ErrAssetOwnerExists     = fmt.Errorf("%w: asset ownership already exists", shared.ErrAlreadyExists)
	ErrLastPrimaryOwner     = fmt.Errorf("%w: cannot remove the last primary owner", shared.ErrValidation)
	ErrInvalidOwnershipType = fmt.Errorf("%w: invalid ownership type", shared.ErrValidation)

	// Group permission errors
	ErrGroupPermissionNotFound = fmt.Errorf("%w: group permission not found", shared.ErrNotFound)
	ErrGroupPermissionExists   = fmt.Errorf("%w: group permission already exists", shared.ErrAlreadyExists)
	ErrInvalidPermissionEffect = fmt.Errorf("%w: invalid permission effect", shared.ErrValidation)

	// Assignment rule errors
	ErrAssignmentRuleNotFound = fmt.Errorf("%w: assignment rule not found", shared.ErrNotFound)
	ErrAssignmentRuleInactive = fmt.Errorf("%w: assignment rule is inactive", shared.ErrValidation)
	ErrNoMatchingRule         = fmt.Errorf("%w: no matching assignment rule found", shared.ErrNotFound)
	ErrTargetGroupNotFound    = fmt.Errorf("%w: target group not found", shared.ErrNotFound)
	ErrTargetGroupInactive    = fmt.Errorf("%w: target group is inactive", shared.ErrValidation)

	// Permission resolution errors
	ErrCircularPermissionChain = fmt.Errorf("%w: circular permission set inheritance detected", shared.ErrValidation)
	ErrPermissionResolution    = fmt.Errorf("%w: failed to resolve permissions", shared.ErrInternal)

	// Access errors
	ErrAccessDenied           = fmt.Errorf("%w: access denied", shared.ErrForbidden)
	ErrInsufficientPermission = fmt.Errorf("%w: insufficient permissions", shared.ErrForbidden)
	ErrAssetAccessDenied      = fmt.Errorf("%w: access to asset denied", shared.ErrForbidden)
)

Domain errors for access control.

Functions

func IsAccessDenied 

func IsAccessDenied(err error) bool

IsAccessDenied checks if the error is an access denied error.

func IsAssetOwnerExists 

func IsAssetOwnerExists(err error) bool

IsAssetOwnerExists checks if the error is an asset owner exists error.

func IsAssetOwnerNotFound 

func IsAssetOwnerNotFound(err error) bool

IsAssetOwnerNotFound checks if the error is an asset owner not found error.

func IsAssignmentRuleNotFound 

func IsAssignmentRuleNotFound(err error) bool

IsAssignmentRuleNotFound checks if the error is an assignment rule not found error.

func IsInsufficientPermission 

func IsInsufficientPermission(err error) bool

IsInsufficientPermission checks if the error is an insufficient permission error.

Types

type AssetOwner 

type AssetOwner struct {
	// contains filtered or unexported fields
}

AssetOwner represents ownership of an asset by a group or user. Either groupID or userID must be set (but not both).

func NewAssetOwner 

func NewAssetOwner(assetID, groupID shared.ID, ownershipType OwnershipType, assignedBy *shared.ID) (*AssetOwner, error)

NewAssetOwner creates a new asset owner relationship (legacy - defaults to group ownership). Deprecated: Use NewAssetOwnerForGroup or NewAssetOwnerForUser instead.

func NewAssetOwnerForGroup 

func NewAssetOwnerForGroup(assetID, groupID shared.ID, ownershipType OwnershipType, assignedBy *shared.ID) (*AssetOwner, error)

NewAssetOwnerForGroup creates a new asset owner relationship for a group.

func NewAssetOwnerForUser 

func NewAssetOwnerForUser(assetID, userID shared.ID, ownershipType OwnershipType, assignedBy *shared.ID) (*AssetOwner, error)

NewAssetOwnerForUser creates a new asset owner relationship for a user (direct ownership).

func ReconstituteAssetOwner 

func ReconstituteAssetOwner(
	id shared.ID,
	assetID shared.ID,
	groupID *shared.ID,
	userID *shared.ID,
	ownershipType OwnershipType,
	assignedAt time.Time,
	assignedBy *shared.ID,
) *AssetOwner

ReconstituteAssetOwner recreates an AssetOwner from persistence.

func (*AssetOwner) AssetID 

func (ao *AssetOwner) AssetID() shared.ID

AssetID returns the asset ID.

func (*AssetOwner) AssignedAt 

func (ao *AssetOwner) AssignedAt() time.Time

AssignedAt returns when the ownership was assigned.

func (*AssetOwner) AssignedBy 

func (ao *AssetOwner) AssignedBy() *shared.ID

AssignedBy returns who assigned the ownership.

func (*AssetOwner) GroupID 

func (ao *AssetOwner) GroupID() *shared.ID

GroupID returns the group ID (nil if user ownership).

func (*AssetOwner) HasFullAccess 

func (ao *AssetOwner) HasFullAccess() bool

HasFullAccess checks if this ownership grants full access.

func (*AssetOwner) HasViewAccess 

func (ao *AssetOwner) HasViewAccess() bool

HasViewAccess checks if this ownership grants view access.

func (*AssetOwner) ID 

func (ao *AssetOwner) ID() shared.ID

ID returns the owner record ID.

func (*AssetOwner) IsGroupOwnership 

func (ao *AssetOwner) IsGroupOwnership() bool

IsGroupOwnership returns true if this is group-level ownership.

func (*AssetOwner) IsUserOwnership 

func (ao *AssetOwner) IsUserOwnership() bool

IsUserOwnership returns true if this is direct user-level ownership.

func (*AssetOwner) OwnershipType 

func (ao *AssetOwner) OwnershipType() OwnershipType

OwnershipType returns the ownership type.

func (*AssetOwner) UpdateOwnershipType 

func (ao *AssetOwner) UpdateOwnershipType(ownershipType OwnershipType) error

UpdateOwnershipType updates the ownership type.

func (*AssetOwner) UserID 

func (ao *AssetOwner) UserID() *shared.ID

UserID returns the user ID (nil if group ownership).

type AssetOwnerWithAsset added in v0.1.2 

type AssetOwnerWithAsset struct {
	*AssetOwner
	AssetName   string
	AssetType   string
	AssetStatus string
}

AssetOwnerWithAsset extends AssetOwner with basic asset details.

type AssetOwnerWithNames added in v0.1.2 

type AssetOwnerWithNames struct {
	*AssetOwner
	UserName       string
	UserEmail      string
	GroupName      string
	AssignedByName string
}

AssetOwnerWithNames extends AssetOwner with resolved user/group names.

type AssetWithOwners 

type AssetWithOwners struct {
	AssetID shared.ID
	Owners  []*AssetOwner
}

AssetWithOwners represents an asset with its ownership information.

type AssignmentConditions 

type AssignmentConditions struct {
	AssetTypes      []string `json:"asset_type,omitempty"`
	FilePathPattern string   `json:"file_path_pattern,omitempty"`
	FindingSeverity []string `json:"finding_severity,omitempty"`
	FindingType     []string `json:"finding_type,omitempty"`
	FindingSource   []string `json:"finding_source,omitempty"`
	AssetTags       []string `json:"asset_tags,omitempty"`
}

AssignmentConditions represents conditions for auto-assignment rules.

type AssignmentOptions 

type AssignmentOptions struct {
	NotifyGroup        bool   `json:"notify_group,omitempty"`
	SetFindingPriority string `json:"set_finding_priority,omitempty"`
}

AssignmentOptions represents options for assignment rules.

type AssignmentRule 

type AssignmentRule struct {
	// contains filtered or unexported fields
}

AssignmentRule represents an auto-routing rule for findings.

func NewAssignmentRule 

func NewAssignmentRule(
	tenantID shared.ID,
	name string,
	conditions AssignmentConditions,
	targetGroupID shared.ID,
	createdBy *shared.ID,
) (*AssignmentRule, error)

NewAssignmentRule creates a new assignment rule.

func ReconstituteAssignmentRule 

func ReconstituteAssignmentRule(
	id shared.ID,
	tenantID shared.ID,
	name, description string,
	priority int,
	isActive bool,
	conditions AssignmentConditions,
	targetGroupID shared.ID,
	options AssignmentOptions,
	createdAt, updatedAt time.Time,
	createdBy *shared.ID,
) *AssignmentRule

ReconstituteAssignmentRule recreates an AssignmentRule from persistence.

func (*AssignmentRule) Activate 

func (r *AssignmentRule) Activate()

Activate activates the rule.

func (*AssignmentRule) Conditions 

func (r *AssignmentRule) Conditions() AssignmentConditions

Conditions returns the matching conditions.

func (*AssignmentRule) CreatedAt 

func (r *AssignmentRule) CreatedAt() time.Time

CreatedAt returns the creation timestamp.

func (*AssignmentRule) CreatedBy 

func (r *AssignmentRule) CreatedBy() *shared.ID

CreatedBy returns who created this rule.

func (*AssignmentRule) Deactivate 

func (r *AssignmentRule) Deactivate()

Deactivate deactivates the rule.

func (*AssignmentRule) Description 

func (r *AssignmentRule) Description() string

Description returns the rule description.

func (*AssignmentRule) ID 

func (r *AssignmentRule) ID() shared.ID

ID returns the rule ID.

func (*AssignmentRule) IsActive 

func (r *AssignmentRule) IsActive() bool

IsActive returns whether the rule is active.

func (*AssignmentRule) Name 

func (r *AssignmentRule) Name() string

Name returns the rule name.

func (*AssignmentRule) Options 

func (r *AssignmentRule) Options() AssignmentOptions

Options returns the rule options.

func (*AssignmentRule) Priority 

func (r *AssignmentRule) Priority() int

Priority returns the rule priority (higher = evaluated first).

func (*AssignmentRule) TargetGroupID 

func (r *AssignmentRule) TargetGroupID() shared.ID

TargetGroupID returns the target group ID.

func (*AssignmentRule) TenantID 

func (r *AssignmentRule) TenantID() shared.ID

TenantID returns the tenant ID.

func (*AssignmentRule) UpdateConditions 

func (r *AssignmentRule) UpdateConditions(conditions AssignmentConditions)

UpdateConditions updates the matching conditions.

func (*AssignmentRule) UpdateDescription 

func (r *AssignmentRule) UpdateDescription(description string)

UpdateDescription updates the rule description.

func (*AssignmentRule) UpdateName 

func (r *AssignmentRule) UpdateName(name string) error

UpdateName updates the rule name.

func (*AssignmentRule) UpdateOptions 

func (r *AssignmentRule) UpdateOptions(options AssignmentOptions)

UpdateOptions updates the rule options.

func (*AssignmentRule) UpdatePriority 

func (r *AssignmentRule) UpdatePriority(priority int)

UpdatePriority updates the rule priority.

func (*AssignmentRule) UpdateTargetGroup 

func (r *AssignmentRule) UpdateTargetGroup(targetGroupID shared.ID) error

UpdateTargetGroup updates the target group.

func (*AssignmentRule) UpdatedAt 

func (r *AssignmentRule) UpdatedAt() time.Time

UpdatedAt returns the last update timestamp.

type AssignmentRuleFilter 

type AssignmentRuleFilter struct {
	// Status filter
	IsActive *bool

	// Target group filter
	TargetGroupID *shared.ID

	// Search
	Search string

	// Pagination
	Limit  int
	Offset int

	// Sorting
	OrderBy   string // "name", "priority", "created_at"
	OrderDesc bool
}

AssignmentRuleFilter contains filter options for listing assignment rules.

func DefaultAssignmentRuleFilter 

func DefaultAssignmentRuleFilter() AssignmentRuleFilter

DefaultAssignmentRuleFilter returns a default filter.

type EffectivePermissions 

type EffectivePermissions struct {
	Permissions []permission.Permission
	Sources     []PermissionSource
}

EffectivePermissions represents the resolved permissions for an entity.

type FindingGroupAssignment added in v0.1.2 

type FindingGroupAssignment struct {
	// contains filtered or unexported fields
}

FindingGroupAssignment represents a finding assigned to a group via an assignment rule.

func NewFindingGroupAssignment added in v0.1.2 

func NewFindingGroupAssignment(tenantID, findingID, groupID shared.ID, ruleID *shared.ID) (*FindingGroupAssignment, error)

NewFindingGroupAssignment creates a new finding-group assignment.

func ReconstituteFindingGroupAssignment added in v0.1.2 

func ReconstituteFindingGroupAssignment(id, tenantID, findingID, groupID shared.ID, ruleID *shared.ID, assignedAt time.Time) *FindingGroupAssignment

ReconstituteFindingGroupAssignment recreates from persistence.

func (*FindingGroupAssignment) AssignedAt added in v0.1.2 

func (fga *FindingGroupAssignment) AssignedAt() time.Time

AssignedAt returns the assignment timestamp.

func (*FindingGroupAssignment) FindingID added in v0.1.2 

func (fga *FindingGroupAssignment) FindingID() shared.ID

FindingID returns the finding ID.

func (*FindingGroupAssignment) GroupID added in v0.1.2 

func (fga *FindingGroupAssignment) GroupID() shared.ID

GroupID returns the group ID.

func (*FindingGroupAssignment) ID added in v0.1.2 

func (fga *FindingGroupAssignment) ID() shared.ID

ID returns the assignment ID.

func (*FindingGroupAssignment) RuleID added in v0.1.2 

func (fga *FindingGroupAssignment) RuleID() *shared.ID

RuleID returns the rule ID (nil if manually assigned).

func (*FindingGroupAssignment) TenantID added in v0.1.2 

func (fga *FindingGroupAssignment) TenantID() shared.ID

TenantID returns the tenant ID.

type GroupPermission 

type GroupPermission struct {
	// contains filtered or unexported fields
}

GroupPermission represents a custom permission override for a group.

func NewGroupPermission 

func NewGroupPermission(groupID shared.ID, permissionID string, effect PermissionEffect, createdBy *shared.ID) (*GroupPermission, error)

NewGroupPermission creates a new group permission override.

func ReconstituteGroupPermission 

func ReconstituteGroupPermission(
	groupID shared.ID,
	permissionID string,
	effect PermissionEffect,
	scopeType *ScopeType,
	scopeValue *ScopeValue,
	createdAt time.Time,
	createdBy *shared.ID,
) *GroupPermission

ReconstituteGroupPermission recreates a GroupPermission from persistence.

func (*GroupPermission) CreatedAt 

func (gp *GroupPermission) CreatedAt() time.Time

CreatedAt returns when this permission was created.

func (*GroupPermission) CreatedBy 

func (gp *GroupPermission) CreatedBy() *shared.ID

CreatedBy returns who created this permission.

func (*GroupPermission) Effect 

func (gp *GroupPermission) Effect() PermissionEffect

Effect returns the permission effect.

func (*GroupPermission) GroupID 

func (gp *GroupPermission) GroupID() shared.ID

GroupID returns the group ID.

func (*GroupPermission) HasScope 

func (gp *GroupPermission) HasScope() bool

HasScope checks if this permission has a scope restriction.

func (*GroupPermission) IsAllow 

func (gp *GroupPermission) IsAllow() bool

IsAllow checks if this is an allow effect.

func (*GroupPermission) IsDeny 

func (gp *GroupPermission) IsDeny() bool

IsDeny checks if this is a deny effect.

func (*GroupPermission) PermissionID 

func (gp *GroupPermission) PermissionID() string

PermissionID returns the permission ID.

func (*GroupPermission) ScopeType 

func (gp *GroupPermission) ScopeType() *ScopeType

ScopeType returns the scope type (if any).

func (*GroupPermission) ScopeValue 

func (gp *GroupPermission) ScopeValue() *ScopeValue

ScopeValue returns the scope value (if any).

func (*GroupPermission) SetScope 

func (gp *GroupPermission) SetScope(scopeType ScopeType, scopeValue *ScopeValue) error

SetScope sets the scope for this permission.

type GroupWithAssets 

type GroupWithAssets struct {
	GroupID  shared.ID
	AssetIDs []shared.ID
}

GroupWithAssets represents a group with its owned assets.

type MatchLogic added in v0.1.2 

type MatchLogic string

MatchLogic represents how multiple match criteria are combined. 

const (
	// MatchLogicAny means asset must match ANY of the criteria (OR).
	MatchLogicAny MatchLogic = "any"
	// MatchLogicAll means asset must match ALL criteria (AND).
	MatchLogicAll MatchLogic = "all"
)

func (MatchLogic) IsValid added in v0.1.2 

func (m MatchLogic) IsValid() bool

IsValid checks if the match logic is valid.

type OwnerBrief added in v0.1.2 

type OwnerBrief struct {
	ID    string `json:"id"`
	Type  string `json:"type"` // "user" or "group"
	Name  string `json:"name"`
	Email string `json:"email,omitempty"`
}

OwnerBrief is a lightweight owner representation for asset list responses.

type OwnershipType 

type OwnershipType string

OwnershipType represents the type of asset ownership. 

const (
	// OwnershipPrimary is the main owner with full access and primary responsibility.
	OwnershipPrimary OwnershipType = "primary"
	// OwnershipSecondary is a co-owner with full access and shared responsibility.
	OwnershipSecondary OwnershipType = "secondary"
	// OwnershipStakeholder has view access and receives critical notifications only.
	OwnershipStakeholder OwnershipType = "stakeholder"
	// OwnershipInformed has no access but receives summary notifications only.
	OwnershipInformed OwnershipType = "informed"
)

func AllOwnershipTypes 

func AllOwnershipTypes() []OwnershipType

AllOwnershipTypes returns all valid ownership types.

func (OwnershipType) HasFullAccess 

func (t OwnershipType) HasFullAccess() bool

HasFullAccess checks if this ownership type grants full access.

func (OwnershipType) HasViewAccess 

func (t OwnershipType) HasViewAccess() bool

HasViewAccess checks if this ownership type grants view access.

func (OwnershipType) IsValid 

func (t OwnershipType) IsValid() bool

IsValid checks if the ownership type is valid.

func (OwnershipType) ReceivesAllNotifications 

func (t OwnershipType) ReceivesAllNotifications() bool

ReceivesAllNotifications checks if this ownership type receives all notifications.

func (OwnershipType) ReceivesNotifications 

func (t OwnershipType) ReceivesNotifications() bool

ReceivesNotifications checks if this ownership type receives notifications.

func (OwnershipType) String 

func (t OwnershipType) String() string

String returns the string representation.

type PermissionEffect 

type PermissionEffect string

PermissionEffect represents the effect of a permission grant. 

const (
	// EffectAllow grants the permission.
	EffectAllow PermissionEffect = "allow"
	// EffectDeny denies the permission (overrides allow).
	EffectDeny PermissionEffect = "deny"
)

func (PermissionEffect) IsValid 

func (e PermissionEffect) IsValid() bool

IsValid checks if the effect is valid.

func (PermissionEffect) String 

func (e PermissionEffect) String() string

String returns the string representation.

type PermissionResolver 

type PermissionResolver struct{}

PermissionResolver resolves effective permissions for users and groups. It handles permission inheritance, additions, and removals.

func NewPermissionResolver 

func NewPermissionResolver() *PermissionResolver

NewPermissionResolver creates a new PermissionResolver.

func (*PermissionResolver) HasAllPermissions 

func (r *PermissionResolver) HasAllPermissions(
	ps *permissionset.PermissionSetWithItems,
	parentChain []*permissionset.PermissionSetWithItems,
	targets ...permission.Permission,
) bool

HasAllPermissions checks if a permission set grants all of the specified permissions.

func (*PermissionResolver) HasAnyPermission 

func (r *PermissionResolver) HasAnyPermission(
	ps *permissionset.PermissionSetWithItems,
	parentChain []*permissionset.PermissionSetWithItems,
	targets ...permission.Permission,
) bool

HasAnyPermission checks if a permission set grants any of the specified permissions.

func (*PermissionResolver) HasPermission 

func (r *PermissionResolver) HasPermission(
	ps *permissionset.PermissionSetWithItems,
	parentChain []*permissionset.PermissionSetWithItems,
	target permission.Permission,
) bool

HasPermission checks if a permission set grants a specific permission.

func (*PermissionResolver) ResolveGroupPermissions 

func (r *PermissionResolver) ResolveGroupPermissions(
	permissionSets []*permissionset.PermissionSetWithItems,
	parentChains map[shared.ID][]*permissionset.PermissionSetWithItems,
	customPermissions []*GroupPermission,
) []permission.Permission

ResolveGroupPermissions resolves the effective permissions for a group. It combines permissions from permission sets and custom group permissions.

func (*PermissionResolver) ResolvePermissionSetPermissions 

func (r *PermissionResolver) ResolvePermissionSetPermissions(
	ps *permissionset.PermissionSetWithItems,
	parentChain []*permissionset.PermissionSetWithItems,
) []permission.Permission

ResolvePermissionSetPermissions resolves the effective permissions for a permission set. For extended sets, it applies: Parent Permissions + Additions - Removals. For other sets, it returns the direct permissions.

func (*PermissionResolver) ResolveUserPermissions 

func (r *PermissionResolver) ResolveUserPermissions(
	groupPermissions [][]permission.Permission,
) []permission.Permission

ResolveUserPermissions resolves the effective permissions for a user. It merges permissions from all groups the user belongs to.

func (*PermissionResolver) ResolveWithSources 

func (r *PermissionResolver) ResolveWithSources(
	permissionSets []*permissionset.PermissionSetWithItems,
	parentChains map[shared.ID][]*permissionset.PermissionSetWithItems,
	customPermissions []*GroupPermission,
) *EffectivePermissions

ResolveWithSources resolves permissions and tracks their sources. This is useful for auditing and debugging permission issues.

type PermissionSource 

type PermissionSource struct {
	PermissionID     string
	SourceType       string    // "permission_set", "custom_permission"
	SourceID         shared.ID // Permission set ID or group ID
	SourceName       string    // Human-readable name
	ModificationType string    // "add", "remove", "inherited"
}

PermissionSource describes where a permission came from.

type Repository 

type Repository interface {
	// Asset Ownership
	CreateAssetOwner(ctx context.Context, ao *AssetOwner) error
	GetAssetOwner(ctx context.Context, assetID, groupID shared.ID) (*AssetOwner, error)
	UpdateAssetOwner(ctx context.Context, ao *AssetOwner) error
	DeleteAssetOwner(ctx context.Context, assetID, groupID shared.ID) error
	ListAssetOwners(ctx context.Context, assetID shared.ID) ([]*AssetOwner, error)
	ListAssetsByGroup(ctx context.Context, groupID shared.ID) ([]shared.ID, error)
	ListAssetOwnersByGroupWithDetails(ctx context.Context, groupID shared.ID, limit, offset int) ([]*AssetOwnerWithAsset, int64, error)
	ListGroupsByAsset(ctx context.Context, assetID shared.ID) ([]shared.ID, error)
	CountAssetOwners(ctx context.Context, assetID shared.ID) (int64, error)
	CountAssetsByGroups(ctx context.Context, groupIDs []shared.ID) (map[shared.ID]int, error)
	HasPrimaryOwner(ctx context.Context, assetID shared.ID) (bool, error)

	// Extended Asset Ownership (with tenant isolation and user/group name resolution)
	GetAssetOwnerByID(ctx context.Context, id shared.ID) (*AssetOwner, error)
	GetAssetOwnerByUser(ctx context.Context, assetID, userID shared.ID) (*AssetOwner, error)
	DeleteAssetOwnerByID(ctx context.Context, id shared.ID) error
	DeleteAssetOwnerByUser(ctx context.Context, assetID, userID shared.ID) error
	ListAssetOwnersWithNames(ctx context.Context, tenantID, assetID shared.ID) ([]*AssetOwnerWithNames, error)
	GetPrimaryOwnerBrief(ctx context.Context, tenantID, assetID shared.ID) (*OwnerBrief, error)
	GetPrimaryOwnersByAssetIDs(ctx context.Context, tenantID shared.ID, assetIDs []shared.ID) (map[string]*OwnerBrief, error)

	// Incremental access refresh for direct user ownership
	RefreshAccessForDirectOwnerAdd(ctx context.Context, assetID, userID shared.ID, ownershipType string) error
	RefreshAccessForDirectOwnerRemove(ctx context.Context, assetID, userID shared.ID) error

	// User-Asset access queries
	ListAccessibleAssets(ctx context.Context, tenantID, userID shared.ID) ([]shared.ID, error)
	CanAccessAsset(ctx context.Context, userID, assetID shared.ID) (bool, error)
	GetUserAssetAccess(ctx context.Context, userID, assetID shared.ID) (*UserAssetAccess, error)
	// HasAnyScopeAssignment checks if a user has any rows in user_accessible_assets.
	// Used for backward compat: if false, user sees all data (no groups configured).
	HasAnyScopeAssignment(ctx context.Context, tenantID, userID shared.ID) (bool, error)

	// Group Permissions (custom overrides)
	CreateGroupPermission(ctx context.Context, gp *GroupPermission) error
	GetGroupPermission(ctx context.Context, groupID shared.ID, permissionID string) (*GroupPermission, error)
	UpdateGroupPermission(ctx context.Context, gp *GroupPermission) error
	DeleteGroupPermission(ctx context.Context, groupID shared.ID, permissionID string) error
	ListGroupPermissions(ctx context.Context, groupID shared.ID) ([]*GroupPermission, error)
	ListGroupPermissionsByEffect(ctx context.Context, groupID shared.ID, effect PermissionEffect) ([]*GroupPermission, error)

	// Assignment Rules
	CreateAssignmentRule(ctx context.Context, rule *AssignmentRule) error
	GetAssignmentRule(ctx context.Context, tenantID, id shared.ID) (*AssignmentRule, error)
	UpdateAssignmentRule(ctx context.Context, tenantID shared.ID, rule *AssignmentRule) error
	DeleteAssignmentRule(ctx context.Context, tenantID, id shared.ID) error
	ListAssignmentRules(ctx context.Context, tenantID shared.ID, filter AssignmentRuleFilter) ([]*AssignmentRule, error)
	CountAssignmentRules(ctx context.Context, tenantID shared.ID, filter AssignmentRuleFilter) (int64, error)
	ListActiveRulesByPriority(ctx context.Context, tenantID shared.ID) ([]*AssignmentRule, error)

	// Finding Group Assignments
	BulkCreateFindingGroupAssignments(ctx context.Context, fgas []*FindingGroupAssignment) (int, error)
	ListFindingGroupAssignments(ctx context.Context, tenantID, findingID shared.ID) ([]*FindingGroupAssignment, error)
	// BatchListFindingGroupIDs returns group IDs for multiple findings in 1 query.
	// Returns map[findingID][]groupID. Avoids N+1 in bulk operations.
	BatchListFindingGroupIDs(ctx context.Context, tenantID shared.ID, findingIDs []shared.ID) (map[shared.ID][]shared.ID, error)
	CountFindingsByGroupFromRules(ctx context.Context, tenantID, groupID shared.ID) (int64, error)

	// Bulk operations
	BulkCreateAssetOwners(ctx context.Context, owners []*AssetOwner) (int, error)

	// Materialized view operations
	RefreshUserAccessibleAssets(ctx context.Context) error

	// Incremental access refresh (targeted updates instead of full refresh)
	RefreshAccessForAssetAssign(ctx context.Context, groupID, assetID shared.ID, ownershipType string) error
	RefreshAccessForAssetUnassign(ctx context.Context, groupID, assetID shared.ID) error
	RefreshAccessForMemberAdd(ctx context.Context, groupID, userID shared.ID) error
	RefreshAccessForMemberRemove(ctx context.Context, groupID, userID shared.ID) error

	// Scope Rules (dynamic asset-to-group scoping)
	CreateScopeRule(ctx context.Context, rule *ScopeRule) error
	GetScopeRule(ctx context.Context, tenantID, id shared.ID) (*ScopeRule, error)
	UpdateScopeRule(ctx context.Context, tenantID shared.ID, rule *ScopeRule) error
	DeleteScopeRule(ctx context.Context, tenantID, id shared.ID) error
	ListScopeRules(ctx context.Context, tenantID, groupID shared.ID, filter ScopeRuleFilter) ([]*ScopeRule, error)
	CountScopeRules(ctx context.Context, tenantID, groupID shared.ID, filter ScopeRuleFilter) (int64, error)
	ListActiveScopeRulesByTenant(ctx context.Context, tenantID shared.ID) ([]*ScopeRule, error)
	ListActiveScopeRulesByGroup(ctx context.Context, tenantID, groupID shared.ID) ([]*ScopeRule, error)

	// Scope rule asset operations
	CreateAssetOwnerWithSource(ctx context.Context, ao *AssetOwner, source string, ruleID *shared.ID) error
	BulkCreateAssetOwnersWithSource(ctx context.Context, owners []*AssetOwner, source string, ruleID *shared.ID) (int, error)
	DeleteAutoAssignedByRule(ctx context.Context, tenantID, ruleID shared.ID) (int, error)
	DeleteAutoAssignedForAsset(ctx context.Context, assetID, groupID shared.ID) error
	BulkDeleteAutoAssignedForAssets(ctx context.Context, assetIDs []shared.ID, groupID shared.ID) (int, error)
	ListAutoAssignedAssets(ctx context.Context, tenantID, groupID shared.ID) ([]shared.ID, error)
	ListAutoAssignedGroupsForAsset(ctx context.Context, assetID shared.ID) ([]shared.ID, error)

	// Transactional scope rule operations
	DeleteScopeRuleWithCleanup(ctx context.Context, tenantID, ruleID shared.ID) (int, error)

	// Scope rule matching queries
	FindAssetsByTagMatch(ctx context.Context, tenantID shared.ID, tags []string, logic MatchLogic) ([]shared.ID, error)
	FindAssetsByAssetGroupMatch(ctx context.Context, tenantID shared.ID, assetGroupIDs []shared.ID) ([]shared.ID, error)

	// Scope rule controller queries
	ListTenantsWithActiveScopeRules(ctx context.Context) ([]shared.ID, error)
	ListGroupsWithActiveScopeRules(ctx context.Context, tenantID shared.ID) ([]shared.ID, error)
	ListGroupsWithAssetGroupMatchRule(ctx context.Context, assetGroupID shared.ID) ([]shared.ID, error)
}

Repository defines the interface for access control persistence.

type ScopeRule added in v0.1.2 

type ScopeRule struct {
	// contains filtered or unexported fields
}

ScopeRule represents a dynamic asset-to-group scoping rule.

func NewScopeRule added in v0.1.2 

func NewScopeRule(
	tenantID, groupID shared.ID,
	name string,
	ruleType ScopeRuleType,
	createdBy *shared.ID,
) (*ScopeRule, error)

NewScopeRule creates a new scope rule.

func ReconstituteScopeRule added in v0.1.2 

func ReconstituteScopeRule(
	id, tenantID, groupID shared.ID,
	name, description string,
	ruleType ScopeRuleType,
	matchTags []string,
	matchLogic MatchLogic,
	matchAssetGroupIDs []shared.ID,
	ownershipType OwnershipType,
	priority int,
	isActive bool,
	createdAt, updatedAt time.Time,
	createdBy *shared.ID,
) *ScopeRule

ReconstituteScopeRule recreates a ScopeRule from persistence.

func (*ScopeRule) Activate added in v0.1.2 

func (r *ScopeRule) Activate()

func (*ScopeRule) CreatedAt added in v0.1.2 

func (r *ScopeRule) CreatedAt() time.Time

func (*ScopeRule) CreatedBy added in v0.1.2 

func (r *ScopeRule) CreatedBy() *shared.ID

func (*ScopeRule) Deactivate added in v0.1.2 

func (r *ScopeRule) Deactivate()

func (*ScopeRule) Description added in v0.1.2 

func (r *ScopeRule) Description() string

func (*ScopeRule) GroupID added in v0.1.2 

func (r *ScopeRule) GroupID() shared.ID

func (*ScopeRule) ID added in v0.1.2 

func (r *ScopeRule) ID() shared.ID

func (*ScopeRule) IsActive added in v0.1.2 

func (r *ScopeRule) IsActive() bool

func (*ScopeRule) MatchAssetGroupIDs added in v0.1.2 

func (r *ScopeRule) MatchAssetGroupIDs() []shared.ID

func (*ScopeRule) MatchLogic added in v0.1.2 

func (r *ScopeRule) MatchLogic() MatchLogic

func (*ScopeRule) MatchTags added in v0.1.2 

func (r *ScopeRule) MatchTags() []string

func (*ScopeRule) Name added in v0.1.2 

func (r *ScopeRule) Name() string

func (*ScopeRule) OwnershipType added in v0.1.2 

func (r *ScopeRule) OwnershipType() OwnershipType

func (*ScopeRule) Priority added in v0.1.2 

func (r *ScopeRule) Priority() int

func (*ScopeRule) RuleType added in v0.1.2 

func (r *ScopeRule) RuleType() ScopeRuleType

func (*ScopeRule) SetMatchAssetGroupIDs added in v0.1.2 

func (r *ScopeRule) SetMatchAssetGroupIDs(ids []shared.ID) error

func (*ScopeRule) SetMatchTags added in v0.1.2 

func (r *ScopeRule) SetMatchTags(tags []string, logic MatchLogic) error

func (*ScopeRule) SetOwnershipType added in v0.1.2 

func (r *ScopeRule) SetOwnershipType(t OwnershipType) error

func (*ScopeRule) SetPriority added in v0.1.2 

func (r *ScopeRule) SetPriority(priority int)

func (*ScopeRule) TenantID added in v0.1.2 

func (r *ScopeRule) TenantID() shared.ID

func (*ScopeRule) UpdateDescription added in v0.1.2 

func (r *ScopeRule) UpdateDescription(description string)

func (*ScopeRule) UpdateName added in v0.1.2 

func (r *ScopeRule) UpdateName(name string) error

func (*ScopeRule) UpdatedAt added in v0.1.2 

func (r *ScopeRule) UpdatedAt() time.Time

type ScopeRuleFilter added in v0.1.2 

type ScopeRuleFilter struct {
	IsActive *bool
	Limit    int
	Offset   int
}

ScopeRuleFilter contains filter options for listing scope rules.

type ScopeRuleType added in v0.1.2 

type ScopeRuleType string

ScopeRuleType represents the type of scope rule. 

const (
	// ScopeRuleTagMatch matches assets by their tags.
	ScopeRuleTagMatch ScopeRuleType = "tag_match"
	// ScopeRuleAssetGroupMatch matches assets by their asset group membership.
	ScopeRuleAssetGroupMatch ScopeRuleType = "asset_group_match"
)

func AllScopeRuleTypes added in v0.1.2 

func AllScopeRuleTypes() []ScopeRuleType

AllScopeRuleTypes returns all valid scope rule types.

func (ScopeRuleType) IsValid added in v0.1.2 

func (t ScopeRuleType) IsValid() bool

IsValid checks if the scope rule type is valid.

func (ScopeRuleType) String added in v0.1.2 

func (t ScopeRuleType) String() string

String returns the string representation.

type ScopeType 

type ScopeType string

ScopeType represents the type of permission scope. 

const (
	// ScopeAll applies to all resources.
	ScopeAll ScopeType = "all"
	// ScopeOwnedAssets applies only to assets owned by the group.
	ScopeOwnedAssets ScopeType = "owned_assets"
	// ScopeAssetType applies to specific asset types.
	ScopeAssetType ScopeType = "asset_type"
	// ScopeAssetTags applies to assets with specific tags.
	ScopeAssetTags ScopeType = "asset_tags"
	// ScopeSeverity applies to findings with specific severity levels.
	ScopeSeverity ScopeType = "severity"
)

func AllScopeTypes 

func AllScopeTypes() []ScopeType

AllScopeTypes returns all valid scope types.

func (ScopeType) IsValid 

func (s ScopeType) IsValid() bool

IsValid checks if the scope type is valid.

func (ScopeType) String 

func (s ScopeType) String() string

String returns the string representation.

type ScopeValue 

type ScopeValue struct {
	AssetTypes  []string `json:"asset_types,omitempty"`
	Tags        []string `json:"tags,omitempty"`
	MinSeverity string   `json:"min_severity,omitempty"`
}

ScopeValue represents the configuration for a scope.

type UserAccessibleAsset 

type UserAccessibleAsset struct {
	AssetID       shared.ID
	OwnershipType OwnershipType
	TenantID      shared.ID
}

UserAccessibleAsset represents an asset accessible by a user.

type UserAssetAccess 

type UserAssetAccess struct {
	UserID        shared.ID
	AssetID       shared.ID
	OwnershipType OwnershipType
	GroupID       shared.ID
	GroupName     string
}

UserAssetAccess represents a user's access to an asset.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.