Documentation
¶
Overview ¶
Package rbac provides enhanced role-based access control functionality
Package rbac provides enhanced role-based access control functionality ¶
Package rbac provides enhanced role-based access control functionality
Index ¶
- type InMemoryPermissionStore
- func (s *InMemoryPermissionStore) AssignPermissionToUser(ctx context.Context, userID string, permissionID string) error
- func (s *InMemoryPermissionStore) CreatePermission(ctx context.Context, permission *Permission) error
- func (s *InMemoryPermissionStore) DeletePermission(ctx context.Context, permissionID string) error
- func (s *InMemoryPermissionStore) GetPermission(ctx context.Context, permissionID string) (*Permission, error)
- func (s *InMemoryPermissionStore) GetUserPermissions(ctx context.Context, userID string) ([]*Permission, error)
- func (s *InMemoryPermissionStore) ListPermissions(ctx context.Context) ([]*Permission, error)
- func (s *InMemoryPermissionStore) PermissionExists(ctx context.Context, permissionID string) (bool, error)
- func (s *InMemoryPermissionStore) RevokePermissionFromUser(ctx context.Context, userID string, permissionID string) error
- func (s *InMemoryPermissionStore) UpdatePermission(ctx context.Context, permission *Permission) error
- type InMemoryRoleStore
- func (s *InMemoryRoleStore) AddPermissionToRole(ctx context.Context, roleID string, permissionID string) error
- func (s *InMemoryRoleStore) AssignRoleToUser(ctx context.Context, userID string, roleID string) error
- func (s *InMemoryRoleStore) CreateRole(ctx context.Context, role *Role) error
- func (s *InMemoryRoleStore) DeleteRole(ctx context.Context, roleID string) error
- func (s *InMemoryRoleStore) GetRole(ctx context.Context, roleID string) (*Role, error)
- func (s *InMemoryRoleStore) GetUserRoles(ctx context.Context, userID string) ([]*Role, error)
- func (s *InMemoryRoleStore) ListRoles(ctx context.Context) ([]*Role, error)
- func (s *InMemoryRoleStore) RemovePermissionFromRole(ctx context.Context, roleID string, permissionID string) error
- func (s *InMemoryRoleStore) RevokeRoleFromUser(ctx context.Context, userID string, roleID string) error
- func (s *InMemoryRoleStore) RoleExists(ctx context.Context, roleID string) (bool, error)
- func (s *InMemoryRoleStore) UpdateRole(ctx context.Context, role *Role) error
- type Permission
- type PermissionStore
- type RBACConfig
- type RBACManager
- func (m *RBACManager) AddPermissionToRole(ctx context.Context, roleID string, permissionID string) error
- func (m *RBACManager) AssignRoleToUser(ctx context.Context, userID string, roleID string) error
- func (m *RBACManager) CreateRole(ctx context.Context, role *Role) error
- func (m *RBACManager) DeleteRole(ctx context.Context, roleID string) error
- func (m *RBACManager) GetRole(ctx context.Context, roleID string) (*Role, error)
- func (m *RBACManager) GetRolePermissions(ctx context.Context, roleID string) ([]string, error)
- func (m *RBACManager) GetUserPermissions(ctx context.Context, userID string) ([]string, error)
- func (m *RBACManager) GetUserRoles(ctx context.Context, userID string) ([]*Role, error)
- func (m *RBACManager) HasPermission(ctx context.Context, userID string, permissionID string) (bool, error)
- func (m *RBACManager) ListRoles(ctx context.Context) ([]*Role, error)
- func (m *RBACManager) RemovePermissionFromRole(ctx context.Context, roleID string, permissionID string) error
- func (m *RBACManager) RevokeRoleFromUser(ctx context.Context, userID string, roleID string) error
- func (m *RBACManager) UpdateRole(ctx context.Context, role *Role) error
- type Role
- type RoleStore
- type UserPermission
- type UserRole
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type InMemoryPermissionStore ¶
type InMemoryPermissionStore struct {
// contains filtered or unexported fields
}
InMemoryPermissionStore is an in-memory implementation of PermissionStore
func NewInMemoryPermissionStore ¶
func NewInMemoryPermissionStore() *InMemoryPermissionStore
NewInMemoryPermissionStore creates a new in-memory permission store
func (*InMemoryPermissionStore) AssignPermissionToUser ¶
func (s *InMemoryPermissionStore) AssignPermissionToUser(ctx context.Context, userID string, permissionID string) error
AssignPermissionToUser assigns a permission directly to a user
func (*InMemoryPermissionStore) CreatePermission ¶
func (s *InMemoryPermissionStore) CreatePermission(ctx context.Context, permission *Permission) error
CreatePermission creates a new permission
func (*InMemoryPermissionStore) DeletePermission ¶
func (s *InMemoryPermissionStore) DeletePermission(ctx context.Context, permissionID string) error
DeletePermission deletes a permission
func (*InMemoryPermissionStore) GetPermission ¶
func (s *InMemoryPermissionStore) GetPermission(ctx context.Context, permissionID string) (*Permission, error)
GetPermission retrieves a permission by ID
func (*InMemoryPermissionStore) GetUserPermissions ¶
func (s *InMemoryPermissionStore) GetUserPermissions(ctx context.Context, userID string) ([]*Permission, error)
GetUserPermissions gets all permissions directly assigned to a user
func (*InMemoryPermissionStore) ListPermissions ¶
func (s *InMemoryPermissionStore) ListPermissions(ctx context.Context) ([]*Permission, error)
ListPermissions lists all permissions
func (*InMemoryPermissionStore) PermissionExists ¶
func (s *InMemoryPermissionStore) PermissionExists(ctx context.Context, permissionID string) (bool, error)
PermissionExists checks if a permission exists
func (*InMemoryPermissionStore) RevokePermissionFromUser ¶
func (s *InMemoryPermissionStore) RevokePermissionFromUser(ctx context.Context, userID string, permissionID string) error
RevokePermissionFromUser revokes a permission from a user
func (*InMemoryPermissionStore) UpdatePermission ¶
func (s *InMemoryPermissionStore) UpdatePermission(ctx context.Context, permission *Permission) error
UpdatePermission updates an existing permission
type InMemoryRoleStore ¶
type InMemoryRoleStore struct {
// contains filtered or unexported fields
}
InMemoryRoleStore is an in-memory implementation of RoleStore
func NewInMemoryRoleStore ¶
func NewInMemoryRoleStore() *InMemoryRoleStore
NewInMemoryRoleStore creates a new in-memory role store
func (*InMemoryRoleStore) AddPermissionToRole ¶
func (s *InMemoryRoleStore) AddPermissionToRole(ctx context.Context, roleID string, permissionID string) error
AddPermissionToRole adds a permission to a role
func (*InMemoryRoleStore) AssignRoleToUser ¶
func (s *InMemoryRoleStore) AssignRoleToUser(ctx context.Context, userID string, roleID string) error
AssignRoleToUser assigns a role to a user
func (*InMemoryRoleStore) CreateRole ¶
func (s *InMemoryRoleStore) CreateRole(ctx context.Context, role *Role) error
CreateRole creates a new role
func (*InMemoryRoleStore) DeleteRole ¶
func (s *InMemoryRoleStore) DeleteRole(ctx context.Context, roleID string) error
DeleteRole deletes a role
func (*InMemoryRoleStore) GetUserRoles ¶
GetUserRoles gets all roles assigned to a user
func (*InMemoryRoleStore) ListRoles ¶
func (s *InMemoryRoleStore) ListRoles(ctx context.Context) ([]*Role, error)
ListRoles lists all roles
func (*InMemoryRoleStore) RemovePermissionFromRole ¶
func (s *InMemoryRoleStore) RemovePermissionFromRole(ctx context.Context, roleID string, permissionID string) error
RemovePermissionFromRole removes a permission from a role
func (*InMemoryRoleStore) RevokeRoleFromUser ¶
func (s *InMemoryRoleStore) RevokeRoleFromUser(ctx context.Context, userID string, roleID string) error
RevokeRoleFromUser revokes a role from a user
func (*InMemoryRoleStore) RoleExists ¶
RoleExists checks if a role exists
func (*InMemoryRoleStore) UpdateRole ¶
func (s *InMemoryRoleStore) UpdateRole(ctx context.Context, role *Role) error
UpdateRole updates an existing role
type Permission ¶
type Permission struct {
// Unique identifier for the permission
ID string `json:"id"`
// Human-readable name for the permission
Name string `json:"name"`
// Description of the permission
Description string `json:"description"`
// Resource type this permission applies to
ResourceType string `json:"resource_type"`
// Action this permission allows
Action string `json:"action"`
// Whether this is a system permission (cannot be deleted)
SystemPermission bool `json:"system_permission"`
// Time when the permission was created
CreatedAt time.Time `json:"created_at"`
// Time when the permission was last updated
UpdatedAt time.Time `json:"updated_at"`
// Additional metadata for the permission
Metadata map[string]interface{} `json:"metadata,omitempty"`
}
Permission represents a permission in the RBAC system
func DefaultPermissions ¶
func DefaultPermissions() []Permission
DefaultPermissions returns the default system permissions
func NewPermission ¶
func NewPermission(id, name, description, resourceType, action string) *Permission
NewPermission creates a new permission
type PermissionStore ¶
type PermissionStore interface {
// CreatePermission creates a new permission
CreatePermission(ctx context.Context, permission *Permission) error
// GetPermission retrieves a permission by ID
GetPermission(ctx context.Context, permissionID string) (*Permission, error)
// UpdatePermission updates an existing permission
UpdatePermission(ctx context.Context, permission *Permission) error
// DeletePermission deletes a permission
DeletePermission(ctx context.Context, permissionID string) error
// ListPermissions lists all permissions
ListPermissions(ctx context.Context) ([]*Permission, error)
// PermissionExists checks if a permission exists
PermissionExists(ctx context.Context, permissionID string) (bool, error)
// AssignPermissionToUser assigns a permission directly to a user
AssignPermissionToUser(ctx context.Context, userID string, permissionID string) error
// RevokePermissionFromUser revokes a permission from a user
RevokePermissionFromUser(ctx context.Context, userID string, permissionID string) error
// GetUserPermissions gets all permissions directly assigned to a user
GetUserPermissions(ctx context.Context, userID string) ([]*Permission, error)
}
PermissionStore defines the interface for permission storage
type RBACConfig ¶
type RBACConfig struct {
// Whether RBAC is enabled
Enabled bool `json:"enabled"`
// Whether to enforce strict role hierarchy
StrictHierarchy bool `json:"strict_hierarchy"`
// Whether to allow direct permission assignments to users
AllowDirectPermissions bool `json:"allow_direct_permissions"`
// Default roles to create
DefaultRoles []Role `json:"default_roles"`
// Maximum depth of role hierarchy
MaxHierarchyDepth int `json:"max_hierarchy_depth"`
// Whether to cache permission checks
EnablePermissionCache bool `json:"enable_permission_cache"`
// Permission cache TTL in seconds
PermissionCacheTTL int `json:"permission_cache_ttl"`
// Whether to automatically create missing permissions
AutoCreatePermissions bool `json:"auto_create_permissions"`
// Whether to log permission checks
LogPermissionChecks bool `json:"log_permission_checks"`
// Minimum severity for logging permission checks
LogPermissionCheckSeverity common.AuditSeverity `json:"log_permission_check_severity"`
}
RBACConfig defines configuration for the RBAC system
func DefaultRBACConfig ¶
func DefaultRBACConfig() *RBACConfig
DefaultRBACConfig returns the default RBAC configuration
type RBACManager ¶
type RBACManager struct {
// contains filtered or unexported fields
}
RBACManager manages role-based access control with enhanced features
func NewRBACManager ¶
func NewRBACManager(config *RBACConfig, roleStore RoleStore, permissionStore PermissionStore, auditManager *audit.AuditManager) (*RBACManager, error)
NewRBACManager creates a new RBAC manager
func (*RBACManager) AddPermissionToRole ¶
func (m *RBACManager) AddPermissionToRole(ctx context.Context, roleID string, permissionID string) error
AddPermissionToRole adds a permission to a role
func (*RBACManager) AssignRoleToUser ¶
AssignRoleToUser assigns a role to a user
func (*RBACManager) CreateRole ¶
func (m *RBACManager) CreateRole(ctx context.Context, role *Role) error
CreateRole creates a new role
func (*RBACManager) DeleteRole ¶
func (m *RBACManager) DeleteRole(ctx context.Context, roleID string) error
DeleteRole deletes a role
func (*RBACManager) GetRolePermissions ¶
GetRolePermissions gets all permissions assigned to a role
func (*RBACManager) GetUserPermissions ¶
GetUserPermissions gets all permissions assigned to a user (including from roles)
func (*RBACManager) GetUserRoles ¶
GetUserRoles gets all roles assigned to a user
func (*RBACManager) HasPermission ¶
func (m *RBACManager) HasPermission(ctx context.Context, userID string, permissionID string) (bool, error)
HasPermission checks if a user has a specific permission
func (*RBACManager) ListRoles ¶
func (m *RBACManager) ListRoles(ctx context.Context) ([]*Role, error)
ListRoles lists all roles
func (*RBACManager) RemovePermissionFromRole ¶
func (m *RBACManager) RemovePermissionFromRole(ctx context.Context, roleID string, permissionID string) error
RemovePermissionFromRole removes a permission from a role
func (*RBACManager) RevokeRoleFromUser ¶
RevokeRoleFromUser revokes a role from a user
func (*RBACManager) UpdateRole ¶
func (m *RBACManager) UpdateRole(ctx context.Context, role *Role) error
UpdateRole updates an existing role
type Role ¶
type Role struct {
// Unique identifier for the role
ID string `json:"id"`
// Human-readable name for the role
Name string `json:"name"`
// Description of the role
Description string `json:"description"`
// Permissions assigned to this role
Permissions []string `json:"permissions"`
// Parent roles in the role hierarchy
ParentRoles []string `json:"parent_roles"`
// Whether the role is a system role (cannot be deleted)
SystemRole bool `json:"system_role"`
// Time when the role was created
CreatedAt time.Time `json:"created_at"`
// Time when the role was last updated
UpdatedAt time.Time `json:"updated_at"`
// Additional metadata for the role
Metadata map[string]interface{} `json:"metadata,omitempty"`
}
Role represents a role in the RBAC system
type RoleStore ¶
type RoleStore interface {
// CreateRole creates a new role
CreateRole(ctx context.Context, role *Role) error
// GetRole retrieves a role by ID
GetRole(ctx context.Context, roleID string) (*Role, error)
// UpdateRole updates an existing role
UpdateRole(ctx context.Context, role *Role) error
// DeleteRole deletes a role
DeleteRole(ctx context.Context, roleID string) error
// ListRoles lists all roles
ListRoles(ctx context.Context) ([]*Role, error)
// RoleExists checks if a role exists
RoleExists(ctx context.Context, roleID string) (bool, error)
// AssignRoleToUser assigns a role to a user
AssignRoleToUser(ctx context.Context, userID string, roleID string) error
// RevokeRoleFromUser revokes a role from a user
RevokeRoleFromUser(ctx context.Context, userID string, roleID string) error
// GetUserRoles gets all roles assigned to a user
GetUserRoles(ctx context.Context, userID string) ([]*Role, error)
// AddPermissionToRole adds a permission to a role
AddPermissionToRole(ctx context.Context, roleID string, permissionID string) error
// RemovePermissionFromRole removes a permission from a role
RemovePermissionFromRole(ctx context.Context, roleID string, permissionID string) error
}
RoleStore defines the interface for role storage
type UserPermission ¶
type UserPermission struct {
// User ID
UserID string `json:"user_id"`
// Permission ID
PermissionID string `json:"permission_id"`
// Time when the permission was assigned
AssignedAt time.Time `json:"assigned_at"`
// User who assigned the permission
AssignedBy string `json:"assigned_by,omitempty"`
// Expiration time for the permission assignment (if any)
ExpiresAt time.Time `json:"expires_at,omitempty"`
}
UserPermission represents a direct permission assignment to a user
type UserRole ¶
type UserRole struct {
// User ID
UserID string `json:"user_id"`
// Role ID
RoleID string `json:"role_id"`
// Time when the role was assigned
AssignedAt time.Time `json:"assigned_at"`
// User who assigned the role
AssignedBy string `json:"assigned_by,omitempty"`
// Expiration time for the role assignment (if any)
ExpiresAt time.Time `json:"expires_at,omitempty"`
}
UserRole represents a role assignment to a user