membership

package

v0.103.0 Latest Latest Go to latest Published: May 18, 2026 License: Apache-2.0 Imports: 19 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/raystack/frontier

Links

Documentation ¶

Index ¶

Variables
type AuditRecordRepository
type GroupService
type Member
type MemberFilter
type OrgService
type PolicyService
type ProjectService
type RelationService
type RoleService
type Service
- func NewService(logger *slog.Logger, policyService PolicyService, ...) *Service
type ServiceuserService
type UserService

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrAlreadyMember        = errors.New("principal is already a member of this resource")
	ErrNotMember            = errors.New("principal is not a member of this resource")
	ErrInvalidOrgRole       = errors.New("role is not valid for organization scope")
	ErrLastOwnerRole        = errors.New("cannot change role: this is the last owner of the organization")
	ErrInvalidPrincipal     = errors.New("invalid principal")
	ErrPrincipalNotInOrg    = errors.New("principal does not belong to this organization")
	ErrInvalidPrincipalType = errors.New("unsupported principal type")
	ErrNotOrgMember         = errors.New("principal is not a member of the organization")
	ErrInvalidProjectRole   = errors.New("role is not valid for project scope")
	ErrInvalidResourceType  = errors.New("unsupported resource type")
	ErrInvalidGroupRole     = errors.New("role is not valid for group scope")
	ErrLastGroupOwnerRole   = errors.New("cannot change role: this is the last owner of the group")
)

Functions ¶

This section is empty.

Types ¶

type AuditRecordRepository ¶

type AuditRecordRepository interface {
	Create(ctx context.Context, auditRecord auditrecord.AuditRecord) (auditrecord.AuditRecord, error)
}

type GroupService ¶

type GroupService interface {
	Get(ctx context.Context, idOrName string) (group.Group, error)
	List(ctx context.Context, flt group.Filter) ([]group.Group, error)
}

type Member ¶ added in v0.102.0

type Member struct {
	PrincipalID   string
	PrincipalType string
	Roles         []role.Role
}

Member is a principal that has one or more policies on a resource.

type MemberFilter ¶ added in v0.102.0

type MemberFilter struct {
	// PrincipalType restricts the result to a single principal type
	// (e.g. schema.UserPrincipal, schema.ServiceUserPrincipal, schema.GroupPrincipal).
	// Empty means no restriction.
	PrincipalType string
	// RoleIDs includes principals that have at least one of these roles on the resource.
	// Empty means no role filtering.
	RoleIDs []string
}

MemberFilter narrows the results of ListPrincipalsByResource.

type OrgService ¶

type OrgService interface {
	Get(ctx context.Context, idOrName string) (organization.Organization, error)
}

type PolicyService ¶

type PolicyService interface {
	Create(ctx context.Context, pol policy.Policy) (policy.Policy, error)
	List(ctx context.Context, flt policy.Filter) ([]policy.Policy, error)
	Delete(ctx context.Context, id string) error
	DeleteWithMinRoleGuard(ctx context.Context, id string, guardRoleID string) error
}

type ProjectService ¶

type ProjectService interface {
	Get(ctx context.Context, idOrName string) (project.Project, error)
	List(ctx context.Context, flt project.Filter) ([]project.Project, error)
}

type RelationService ¶

type RelationService interface {
	Create(ctx context.Context, rel relation.Relation) (relation.Relation, error)
	Delete(ctx context.Context, rel relation.Relation) error
}

type RoleService ¶

type RoleService interface {
	Get(ctx context.Context, idOrName string) (role.Role, error)
	List(ctx context.Context, flt role.Filter) ([]role.Role, error)
}

type Service ¶

type Service struct {
	// contains filtered or unexported fields
}

func NewService ¶

func NewService(
	logger *slog.Logger,
	policyService PolicyService,
	relationService RelationService,
	roleService RoleService,
	orgService OrgService,
	userService UserService,
	projectService ProjectService,
	groupService GroupService,
	serviceuserService ServiceuserService,
	auditRecordRepository AuditRecordRepository,
) *Service

func (*Service) AddOrganizationMember ¶

func (s *Service) AddOrganizationMember(ctx context.Context, orgID, principalID, principalType, roleID string) error

AddOrganizationMember adds a principal (user or service user) to an organization with an explicit role, bypassing the invitation flow. Returns ErrAlreadyMember if the principal already has a policy on this org.

func (*Service) ListPrincipalsByResource ¶ added in v0.102.0

func (s *Service) ListPrincipalsByResource(ctx context.Context, resourceID, resourceType string, filter MemberFilter) ([]Member, error)

ListPrincipalsByResource returns the principals (users, service users, groups) that have at least one policy on the given resource, optionally filtered by principal type and/or role, and optionally enriched with the full list of roles each principal holds on the resource.

func (*Service) OnGroupCreated ¶ added in v0.102.0

func (s *Service) OnGroupCreated(ctx context.Context, groupID, orgID, creatorID, creatorType string) error

OnGroupCreated wires up SpiceDB relations for a newly-created group: links the group to its parent organization (both directions) and adds the creator as owner via SetGroupMemberRole. If the owner add fails, hierarchy relations are best-effort rolled back to avoid an unowned, half-linked group.

func (*Service) OnGroupDeleted ¶ added in v0.103.0

func (s *Service) OnGroupDeleted(ctx context.Context, groupID string) error

OnGroupDeleted tears down all SpiceDB state created during the group's lifetime: per-member policies and owner/member relations, policies where the group itself is the principal on other resources (e.g. group granted a role on a project), and the two org<->group hierarchy relations. The group entity itself is left for the caller (group.Service.DeleteModel) to remove.

Errors are joined; partial failures are logged so a retry can complete the cleanup.

func (*Service) RemoveAllGroupMembers ¶ added in v0.103.0

func (s *Service) RemoveAllGroupMembers(ctx context.Context, groupID string) error

RemoveAllGroupMembers tears down membership for a group that is being destroyed: deletes every policy on the group and every owner/member relation per principal. No min-owner check — the group itself is going away, so the invariant doesn't apply. Errors are joined; partial failures are logged so a retry can complete the cleanup.

func (*Service) RemoveGroupMember ¶ added in v0.103.0

func (s *Service) RemoveGroupMember(ctx context.Context, groupID, principalID, principalType string) error

RemoveGroupMember removes a principal from a group, cleaning up both their group policies and the matching SpiceDB relations. Returns ErrNotMember if the principal has no policies on this group; ErrLastGroupOwnerRole if they are the sole remaining owner (enforced atomically via the policy guard).

func (*Service) RemoveOrganizationMember ¶

func (s *Service) RemoveOrganizationMember(ctx context.Context, orgID, principalID, principalType string) error

RemoveOrganizationMember removes a principal from an organization and cascades the removal through all org projects and groups, cleaning up both policies and relations. Returns ErrNotMember if the principal has no policies on this org.

func (*Service) RemoveProjectMember ¶

func (s *Service) RemoveProjectMember(ctx context.Context, projectID, principalID, principalType string) error

RemoveProjectMember removes a principal from a project by deleting all their project-level policies.

func (*Service) SetGroupMemberRole ¶ added in v0.102.0

func (s *Service) SetGroupMemberRole(ctx context.Context, groupID, principalID, principalType, roleID string) error

SetGroupMemberRole upserts the role assignment for a principal in a group: if the principal has no existing group policy, they are added with the requested role; otherwise their existing role is replaced with the requested role. New adds require the principal to be a member of the group's parent organization. Demoting the last owner returns ErrLastGroupOwnerRole.

func (*Service) SetOrganizationMemberRole ¶

func (s *Service) SetOrganizationMemberRole(ctx context.Context, orgID, principalID, principalType, roleID string) error

SetOrganizationMemberRole changes an existing member's role in an organization. Supports user and service user principals. Skips the write if the member already has exactly the requested role.

func (*Service) SetProjectMemberRole ¶

func (s *Service) SetProjectMemberRole(ctx context.Context, projectID, principalID, principalType, roleID string) error

SetProjectMemberRole sets or changes a principal's role in a project (upsert). It validates the role is project-scoped and the principal is a member of the parent org. No explicit SpiceDB relations are managed — projects use policies only.

type ServiceuserService ¶

type ServiceuserService interface {
	Get(ctx context.Context, id string) (serviceuser.ServiceUser, error)
}

type UserService ¶

type UserService interface {
	GetByID(ctx context.Context, id string) (user.User, error)
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
mocks

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL