membership

package
v0.104.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 27, 2026 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrAlreadyMember        = errors.New("principal is already a member of this resource")
	ErrNotMember            = errors.New("principal is not a member of this resource")
	ErrInvalidOrgRole       = errors.New("role is not valid for organization scope")
	ErrLastOwnerRole        = errors.New("cannot change role: this is the last owner of the organization")
	ErrInvalidPrincipal     = errors.New("invalid principal")
	ErrPrincipalNotInOrg    = errors.New("principal does not belong to this organization")
	ErrInvalidPrincipalType = errors.New("unsupported principal type")
	ErrNotOrgMember         = errors.New("principal is not a member of the organization")
	ErrInvalidProjectRole   = errors.New("role is not valid for project scope")
	ErrInvalidResourceType  = errors.New("unsupported resource type")
	ErrInvalidGroupRole     = errors.New("role is not valid for group scope")
	ErrLastGroupOwnerRole   = errors.New("cannot change role: this is the last owner of the group")
)

Functions

This section is empty.

Types

type AuditRecordRepository 

type AuditRecordRepository interface {
	Create(ctx context.Context, auditRecord auditrecord.AuditRecord) (auditrecord.AuditRecord, error)
}

type GroupService 

type GroupService interface {
	Get(ctx context.Context, idOrName string) (group.Group, error)
	List(ctx context.Context, flt group.Filter) ([]group.Group, error)
}

type Member added in v0.102.0 

type Member struct {
	PrincipalID   string
	PrincipalType string
	Roles         []role.Role
}

Member is a principal that has one or more policies on a resource.

type MemberFilter added in v0.102.0 

type MemberFilter struct {
	// PrincipalType restricts the result to a single principal type
	// (e.g. schema.UserPrincipal, schema.ServiceUserPrincipal, schema.GroupPrincipal).
	// Empty means no restriction.
	PrincipalType string
	// RoleIDs includes principals that have at least one of these roles on the resource.
	// Empty means no role filtering.
	RoleIDs []string
}

MemberFilter narrows the results of ListPrincipalsByResource.

type OrgService 

type OrgService interface {
	Get(ctx context.Context, idOrName string) (organization.Organization, error)
}

type PolicyService 

type PolicyService interface {
	Create(ctx context.Context, pol policy.Policy) (policy.Policy, error)
	List(ctx context.Context, flt policy.Filter) ([]policy.Policy, error)
	Delete(ctx context.Context, id string) error
	DeleteWithMinRoleGuard(ctx context.Context, id string, guardRoleID string) error
}

type ProjectService 

type ProjectService interface {
	Get(ctx context.Context, idOrName string) (project.Project, error)
	List(ctx context.Context, flt project.Filter) ([]project.Project, error)
}

type RelationService 

type RelationService interface {
	Create(ctx context.Context, rel relation.Relation) (relation.Relation, error)
	Delete(ctx context.Context, rel relation.Relation) error
}

type ResourceFilter added in v0.103.1 

type ResourceFilter struct {
	// OrgID restricts project/group results to one org. No-op for orgs.
	OrgID string

	// NonInherited suppresses org-inheritance expansion for projects (direct
	// + group-expanded only). No-op for orgs and groups.
	NonInherited bool
}

ResourceFilter narrows the results of ListResourcesByPrincipal.

type RoleService 

type RoleService interface {
	Get(ctx context.Context, idOrName string) (role.Role, error)
	List(ctx context.Context, flt role.Filter) ([]role.Role, error)
}

type Service 

type Service struct {
	// contains filtered or unexported fields
}

func NewService 

func NewService(
	logger *slog.Logger,
	policyService PolicyService,
	relationService RelationService,
	roleService RoleService,
	orgService OrgService,
	userService UserService,
	projectService ProjectService,
	groupService GroupService,
	serviceuserService ServiceuserService,
	auditRecordRepository AuditRecordRepository,
) *Service

func (*Service) AddOrganizationMember 

func (s *Service) AddOrganizationMember(ctx context.Context, orgID, principalID, principalType, roleID string) error

AddOrganizationMember adds a principal (user or service user) to an organization with an explicit role, bypassing the invitation flow. Returns ErrAlreadyMember if the principal already has a policy on this org.

func (*Service) ListGroupsByPrincipal added in v0.104.0 

func (s *Service) ListGroupsByPrincipal(ctx context.Context, principal authenticate.Principal, orgID string) ([]string, error)

ListGroupsByPrincipal Shim for the group package (group → membership would cycle). PATs scope orgs and projects, not groups, so a PAT sees exactly its user's groups — resolve the PAT.

func (*Service) ListOrgsByPrincipal added in v0.104.0 

func (s *Service) ListOrgsByPrincipal(ctx context.Context, principal authenticate.Principal) ([]string, error)

ListOrgsByPrincipal lets the organization package consume this without importing membership — that direction would be a cycle since membership already imports organization.

func (*Service) ListPrincipalsByResource added in v0.102.0 

func (s *Service) ListPrincipalsByResource(ctx context.Context, resourceID, resourceType string, filter MemberFilter) ([]Member, error)

ListPrincipalsByResource returns the principals (users, service users, groups) that have at least one policy on the given resource, optionally filtered by principal type and/or role, and optionally enriched with the full list of roles each principal holds on the resource.

func (*Service) ListProjectsByPrincipal added in v0.104.0 

func (s *Service) ListProjectsByPrincipal(ctx context.Context, principal authenticate.Principal, orgID string, nonInherited bool) ([]string, error)

ListProjectsByPrincipal Shim for the project package (project → membership would cycle). Delegates to ListResourcesByPrincipal so PAT scope is intersected.

func (*Service) ListResourcesByPrincipal added in v0.103.1 

func (s *Service) ListResourcesByPrincipal(ctx context.Context, principal authenticate.Principal, resourceType string, filter ResourceFilter) ([]string, error)

ListResourcesByPrincipal returns the resource IDs of the given type on which the principal has at least one policy. Reads Postgres policies — no SpiceDB. With a PAT, runs the algorithm twice (user, then PAT-as-principal) and intersects, so the PAT can narrow but never widen the user's visibility.

func (*Service) OnGroupCreated added in v0.102.0 

func (s *Service) OnGroupCreated(ctx context.Context, groupID, orgID, creatorID, creatorType string) error

OnGroupCreated wires up SpiceDB relations for a newly-created group: links the group to its parent organization (both directions) and adds the creator as owner via SetGroupMemberRole. If the owner add fails, hierarchy relations are best-effort rolled back to avoid an unowned, half-linked group.

func (*Service) OnGroupDeleted added in v0.103.0 

func (s *Service) OnGroupDeleted(ctx context.Context, groupID string) error

OnGroupDeleted tears down all SpiceDB state created during the group's lifetime: per-member policies and owner/member relations, policies where the group itself is the principal on other resources (e.g. group granted a role on a project), and the two org<->group hierarchy relations. The group entity itself is left for the caller (group.Service.DeleteModel) to remove.

Errors are joined; partial failures are logged so a retry can complete the cleanup.

func (*Service) RemoveAllGroupMembers added in v0.103.0 

func (s *Service) RemoveAllGroupMembers(ctx context.Context, groupID string) error

RemoveAllGroupMembers tears down membership for a group that is being destroyed: deletes every policy on the group and every owner/member relation per principal. No min-owner check — the group itself is going away, so the invariant doesn't apply. Errors are joined; partial failures are logged so a retry can complete the cleanup.

func (*Service) RemoveGroupMember added in v0.103.0 

func (s *Service) RemoveGroupMember(ctx context.Context, groupID, principalID, principalType string) error

RemoveGroupMember removes a principal from a group, cleaning up both their group policies and the matching SpiceDB relations. Returns ErrNotMember if the principal has no policies on this group; ErrLastGroupOwnerRole if they are the sole remaining owner (enforced atomically via the policy guard).

func (*Service) RemoveOrganizationMember 

func (s *Service) RemoveOrganizationMember(ctx context.Context, orgID, principalID, principalType string) error

RemoveOrganizationMember removes a principal from an organization and cascades the removal through all org projects and groups, cleaning up both policies and relations. Returns ErrNotMember if the principal has no policies on this org.

func (*Service) RemoveProjectMember 

func (s *Service) RemoveProjectMember(ctx context.Context, projectID, principalID, principalType string) error

RemoveProjectMember removes a principal from a project by deleting all their project-level policies.

func (*Service) SetGroupMemberRole added in v0.102.0 

func (s *Service) SetGroupMemberRole(ctx context.Context, groupID, principalID, principalType, roleID string) error

SetGroupMemberRole upserts the role assignment for a principal in a group: if the principal has no existing group policy, they are added with the requested role; otherwise their existing role is replaced with the requested role. New adds require the principal to be a member of the group's parent organization. Demoting the last owner returns ErrLastGroupOwnerRole.

func (*Service) SetOrganizationMemberRole 

func (s *Service) SetOrganizationMemberRole(ctx context.Context, orgID, principalID, principalType, roleID string) error

SetOrganizationMemberRole changes an existing member's role in an organization. Supports user and service user principals. Skips the write if the member already has exactly the requested role.

func (*Service) SetProjectMemberRole 

func (s *Service) SetProjectMemberRole(ctx context.Context, projectID, principalID, principalType, roleID string) error

SetProjectMemberRole sets or changes a principal's role in a project (upsert). It validates the role is project-scoped and the principal is a member of the parent org. No explicit SpiceDB relations are managed — projects use policies only.

type ServiceuserService 

type ServiceuserService interface {
	Get(ctx context.Context, id string) (serviceuser.ServiceUser, error)
}

type UserService 

type UserService interface {
	GetByID(ctx context.Context, id string) (user.User, error)
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.