rbac

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 20, 2025 License: MIT Imports: 6 Imported by: 0

Documentation

Overview

Package rbac provides enhanced role-based access control functionality

Package rbac provides enhanced role-based access control functionality

Package rbac provides enhanced role-based access control functionality

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type InMemoryPermissionStore

type InMemoryPermissionStore struct {
	// contains filtered or unexported fields
}

InMemoryPermissionStore is an in-memory implementation of PermissionStore

func NewInMemoryPermissionStore

func NewInMemoryPermissionStore() *InMemoryPermissionStore

NewInMemoryPermissionStore creates a new in-memory permission store

func (*InMemoryPermissionStore) AssignPermissionToUser

func (s *InMemoryPermissionStore) AssignPermissionToUser(ctx context.Context, userID string, permissionID string) error

AssignPermissionToUser assigns a permission directly to a user

func (*InMemoryPermissionStore) CreatePermission

func (s *InMemoryPermissionStore) CreatePermission(ctx context.Context, permission *Permission) error

CreatePermission creates a new permission

func (*InMemoryPermissionStore) DeletePermission

func (s *InMemoryPermissionStore) DeletePermission(ctx context.Context, permissionID string) error

DeletePermission deletes a permission

func (*InMemoryPermissionStore) GetPermission

func (s *InMemoryPermissionStore) GetPermission(ctx context.Context, permissionID string) (*Permission, error)

GetPermission retrieves a permission by ID

func (*InMemoryPermissionStore) GetUserPermissions

func (s *InMemoryPermissionStore) GetUserPermissions(ctx context.Context, userID string) ([]*Permission, error)

GetUserPermissions gets all permissions directly assigned to a user

func (*InMemoryPermissionStore) ListPermissions

func (s *InMemoryPermissionStore) ListPermissions(ctx context.Context) ([]*Permission, error)

ListPermissions lists all permissions

func (*InMemoryPermissionStore) PermissionExists

func (s *InMemoryPermissionStore) PermissionExists(ctx context.Context, permissionID string) (bool, error)

PermissionExists checks if a permission exists

func (*InMemoryPermissionStore) RevokePermissionFromUser

func (s *InMemoryPermissionStore) RevokePermissionFromUser(ctx context.Context, userID string, permissionID string) error

RevokePermissionFromUser revokes a permission from a user

func (*InMemoryPermissionStore) UpdatePermission

func (s *InMemoryPermissionStore) UpdatePermission(ctx context.Context, permission *Permission) error

UpdatePermission updates an existing permission

type InMemoryRoleStore

type InMemoryRoleStore struct {
	// contains filtered or unexported fields
}

InMemoryRoleStore is an in-memory implementation of RoleStore

func NewInMemoryRoleStore

func NewInMemoryRoleStore() *InMemoryRoleStore

NewInMemoryRoleStore creates a new in-memory role store

func (*InMemoryRoleStore) AddPermissionToRole

func (s *InMemoryRoleStore) AddPermissionToRole(ctx context.Context, roleID string, permissionID string) error

AddPermissionToRole adds a permission to a role

func (*InMemoryRoleStore) AssignRoleToUser

func (s *InMemoryRoleStore) AssignRoleToUser(ctx context.Context, userID string, roleID string) error

AssignRoleToUser assigns a role to a user

func (*InMemoryRoleStore) CreateRole

func (s *InMemoryRoleStore) CreateRole(ctx context.Context, role *Role) error

CreateRole creates a new role

func (*InMemoryRoleStore) DeleteRole

func (s *InMemoryRoleStore) DeleteRole(ctx context.Context, roleID string) error

DeleteRole deletes a role

func (*InMemoryRoleStore) GetRole

func (s *InMemoryRoleStore) GetRole(ctx context.Context, roleID string) (*Role, error)

GetRole retrieves a role by ID

func (*InMemoryRoleStore) GetUserRoles

func (s *InMemoryRoleStore) GetUserRoles(ctx context.Context, userID string) ([]*Role, error)

GetUserRoles gets all roles assigned to a user

func (*InMemoryRoleStore) ListRoles

func (s *InMemoryRoleStore) ListRoles(ctx context.Context) ([]*Role, error)

ListRoles lists all roles

func (*InMemoryRoleStore) RemovePermissionFromRole

func (s *InMemoryRoleStore) RemovePermissionFromRole(ctx context.Context, roleID string, permissionID string) error

RemovePermissionFromRole removes a permission from a role

func (*InMemoryRoleStore) RevokeRoleFromUser

func (s *InMemoryRoleStore) RevokeRoleFromUser(ctx context.Context, userID string, roleID string) error

RevokeRoleFromUser revokes a role from a user

func (*InMemoryRoleStore) RoleExists

func (s *InMemoryRoleStore) RoleExists(ctx context.Context, roleID string) (bool, error)

RoleExists checks if a role exists

func (*InMemoryRoleStore) UpdateRole

func (s *InMemoryRoleStore) UpdateRole(ctx context.Context, role *Role) error

UpdateRole updates an existing role

type Permission

type Permission struct {
	// Unique identifier for the permission
	ID string `json:"id"`

	// Human-readable name for the permission
	Name string `json:"name"`

	// Description of the permission
	Description string `json:"description"`

	// Resource type this permission applies to
	ResourceType string `json:"resource_type"`

	// Action this permission allows
	Action string `json:"action"`

	// Whether this is a system permission (cannot be deleted)
	SystemPermission bool `json:"system_permission"`

	// Time when the permission was created
	CreatedAt time.Time `json:"created_at"`

	// Time when the permission was last updated
	UpdatedAt time.Time `json:"updated_at"`

	// Additional metadata for the permission
	Metadata map[string]interface{} `json:"metadata,omitempty"`
}

Permission represents a permission in the RBAC system

func DefaultPermissions

func DefaultPermissions() []Permission

DefaultPermissions returns the default system permissions

func NewPermission

func NewPermission(id, name, description, resourceType, action string) *Permission

NewPermission creates a new permission

type PermissionStore

type PermissionStore interface {
	// CreatePermission creates a new permission
	CreatePermission(ctx context.Context, permission *Permission) error

	// GetPermission retrieves a permission by ID
	GetPermission(ctx context.Context, permissionID string) (*Permission, error)

	// UpdatePermission updates an existing permission
	UpdatePermission(ctx context.Context, permission *Permission) error

	// DeletePermission deletes a permission
	DeletePermission(ctx context.Context, permissionID string) error

	// ListPermissions lists all permissions
	ListPermissions(ctx context.Context) ([]*Permission, error)

	// PermissionExists checks if a permission exists
	PermissionExists(ctx context.Context, permissionID string) (bool, error)

	// AssignPermissionToUser assigns a permission directly to a user
	AssignPermissionToUser(ctx context.Context, userID string, permissionID string) error

	// RevokePermissionFromUser revokes a permission from a user
	RevokePermissionFromUser(ctx context.Context, userID string, permissionID string) error

	// GetUserPermissions gets all permissions directly assigned to a user
	GetUserPermissions(ctx context.Context, userID string) ([]*Permission, error)
}

PermissionStore defines the interface for permission storage

type RBACConfig

type RBACConfig struct {
	// Whether RBAC is enabled
	Enabled bool `json:"enabled"`

	// Whether to enforce strict role hierarchy
	StrictHierarchy bool `json:"strict_hierarchy"`

	// Whether to allow direct permission assignments to users
	AllowDirectPermissions bool `json:"allow_direct_permissions"`

	// Default roles to create
	DefaultRoles []Role `json:"default_roles"`

	// Maximum depth of role hierarchy
	MaxHierarchyDepth int `json:"max_hierarchy_depth"`

	// Whether to cache permission checks
	EnablePermissionCache bool `json:"enable_permission_cache"`

	// Permission cache TTL in seconds
	PermissionCacheTTL int `json:"permission_cache_ttl"`

	// Whether to automatically create missing permissions
	AutoCreatePermissions bool `json:"auto_create_permissions"`

	// Whether to log permission checks
	LogPermissionChecks bool `json:"log_permission_checks"`

	// Minimum severity for logging permission checks
	LogPermissionCheckSeverity common.AuditSeverity `json:"log_permission_check_severity"`
}

RBACConfig defines configuration for the RBAC system

func DefaultRBACConfig

func DefaultRBACConfig() *RBACConfig

DefaultRBACConfig returns the default RBAC configuration

type RBACManager

type RBACManager struct {
	// contains filtered or unexported fields
}

RBACManager manages role-based access control with enhanced features

func NewRBACManager

func NewRBACManager(config *RBACConfig, roleStore RoleStore, permissionStore PermissionStore, auditManager *audit.AuditManager) (*RBACManager, error)

NewRBACManager creates a new RBAC manager

func (*RBACManager) AddPermissionToRole

func (m *RBACManager) AddPermissionToRole(ctx context.Context, roleID string, permissionID string) error

AddPermissionToRole adds a permission to a role

func (*RBACManager) AssignRoleToUser

func (m *RBACManager) AssignRoleToUser(ctx context.Context, userID string, roleID string) error

AssignRoleToUser assigns a role to a user

func (*RBACManager) CreateRole

func (m *RBACManager) CreateRole(ctx context.Context, role *Role) error

CreateRole creates a new role

func (*RBACManager) DeleteRole

func (m *RBACManager) DeleteRole(ctx context.Context, roleID string) error

DeleteRole deletes a role

func (*RBACManager) GetRole

func (m *RBACManager) GetRole(ctx context.Context, roleID string) (*Role, error)

GetRole gets a role by ID

func (*RBACManager) GetRolePermissions

func (m *RBACManager) GetRolePermissions(ctx context.Context, roleID string) ([]string, error)

GetRolePermissions gets all permissions assigned to a role

func (*RBACManager) GetUserPermissions

func (m *RBACManager) GetUserPermissions(ctx context.Context, userID string) ([]string, error)

GetUserPermissions gets all permissions assigned to a user (including from roles)

func (*RBACManager) GetUserRoles

func (m *RBACManager) GetUserRoles(ctx context.Context, userID string) ([]*Role, error)

GetUserRoles gets all roles assigned to a user

func (*RBACManager) HasPermission

func (m *RBACManager) HasPermission(ctx context.Context, userID string, permissionID string) (bool, error)

HasPermission checks if a user has a specific permission

func (*RBACManager) ListRoles

func (m *RBACManager) ListRoles(ctx context.Context) ([]*Role, error)

ListRoles lists all roles

func (*RBACManager) RemovePermissionFromRole

func (m *RBACManager) RemovePermissionFromRole(ctx context.Context, roleID string, permissionID string) error

RemovePermissionFromRole removes a permission from a role

func (*RBACManager) RevokeRoleFromUser

func (m *RBACManager) RevokeRoleFromUser(ctx context.Context, userID string, roleID string) error

RevokeRoleFromUser revokes a role from a user

func (*RBACManager) UpdateRole

func (m *RBACManager) UpdateRole(ctx context.Context, role *Role) error

UpdateRole updates an existing role

type Role

type Role struct {
	// Unique identifier for the role
	ID string `json:"id"`

	// Human-readable name for the role
	Name string `json:"name"`

	// Description of the role
	Description string `json:"description"`

	// Permissions assigned to this role
	Permissions []string `json:"permissions"`

	// Parent roles in the role hierarchy
	ParentRoles []string `json:"parent_roles"`

	// Whether the role is a system role (cannot be deleted)
	SystemRole bool `json:"system_role"`

	// Time when the role was created
	CreatedAt time.Time `json:"created_at"`

	// Time when the role was last updated
	UpdatedAt time.Time `json:"updated_at"`

	// Additional metadata for the role
	Metadata map[string]interface{} `json:"metadata,omitempty"`
}

Role represents a role in the RBAC system

func DefaultRoles

func DefaultRoles() []Role

DefaultRoles returns the default system roles

func NewRole

func NewRole(id, name, description string) *Role

NewRole creates a new role

type RoleStore

type RoleStore interface {
	// CreateRole creates a new role
	CreateRole(ctx context.Context, role *Role) error

	// GetRole retrieves a role by ID
	GetRole(ctx context.Context, roleID string) (*Role, error)

	// UpdateRole updates an existing role
	UpdateRole(ctx context.Context, role *Role) error

	// DeleteRole deletes a role
	DeleteRole(ctx context.Context, roleID string) error

	// ListRoles lists all roles
	ListRoles(ctx context.Context) ([]*Role, error)

	// RoleExists checks if a role exists
	RoleExists(ctx context.Context, roleID string) (bool, error)

	// AssignRoleToUser assigns a role to a user
	AssignRoleToUser(ctx context.Context, userID string, roleID string) error

	// RevokeRoleFromUser revokes a role from a user
	RevokeRoleFromUser(ctx context.Context, userID string, roleID string) error

	// GetUserRoles gets all roles assigned to a user
	GetUserRoles(ctx context.Context, userID string) ([]*Role, error)

	// AddPermissionToRole adds a permission to a role
	AddPermissionToRole(ctx context.Context, roleID string, permissionID string) error

	// RemovePermissionFromRole removes a permission from a role
	RemovePermissionFromRole(ctx context.Context, roleID string, permissionID string) error
}

RoleStore defines the interface for role storage

type UserPermission

type UserPermission struct {
	// User ID
	UserID string `json:"user_id"`

	// Permission ID
	PermissionID string `json:"permission_id"`

	// Time when the permission was assigned
	AssignedAt time.Time `json:"assigned_at"`

	// User who assigned the permission
	AssignedBy string `json:"assigned_by,omitempty"`

	// Expiration time for the permission assignment (if any)
	ExpiresAt time.Time `json:"expires_at,omitempty"`
}

UserPermission represents a direct permission assignment to a user

type UserRole

type UserRole struct {
	// User ID
	UserID string `json:"user_id"`

	// Role ID
	RoleID string `json:"role_id"`

	// Time when the role was assigned
	AssignedAt time.Time `json:"assigned_at"`

	// User who assigned the role
	AssignedBy string `json:"assigned_by,omitempty"`

	// Expiration time for the role assignment (if any)
	ExpiresAt time.Time `json:"expires_at,omitempty"`
}

UserRole represents a role assignment to a user

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL