Documentation
¶
Index ¶
- type ConversionPreview
- type Logger
- type MigrationConfig
- type MigrationError
- type MigrationPolicyRepoAdapter
- type MigrationResult
- type NoOpLogger
- type PolicyRepository
- type RBACAdapterConfig
- type RBACMigrationService
- func (s *RBACMigrationService) ConvertPolicy(ctx context.Context, rbacPolicy *RBACPolicy, appID, envID xid.ID, ...) (*core.Policy, error)
- func (s *RBACMigrationService) MigrateAll(ctx context.Context, appID, envID xid.ID, userOrgID *xid.ID, createdBy xid.ID) (*MigrationResult, error)
- func (s *RBACMigrationService) MigrateRoles(ctx context.Context, appID, envID xid.ID, createdBy xid.ID) (*MigrationResult, error)
- func (s *RBACMigrationService) PreviewConversion(ctx context.Context, rbacPolicy *RBACPolicy) (*ConversionPreview, error)
- type RBACPolicy
- type RBACService
- type RBACServiceAdapter
- func (a *RBACServiceAdapter) AddPolicy(policy *RBACPolicy)
- func (a *RBACServiceAdapter) ClearPolicies()
- func (a *RBACServiceAdapter) GetAllAppPermissions(ctx context.Context, appID xid.ID) ([]*schema.Permission, error)
- func (a *RBACServiceAdapter) GetAllPolicies(ctx context.Context) ([]*RBACPolicy, error)
- func (a *RBACServiceAdapter) GetOrgRoles(ctx context.Context, orgID, envID xid.ID) ([]*schema.Role, error)
- func (a *RBACServiceAdapter) GetRolePermissions(ctx context.Context, roleID xid.ID) ([]*schema.Permission, error)
- func (a *RBACServiceAdapter) GetRoles(ctx context.Context, appID, envID xid.ID) ([]*schema.Role, error)
- type UserRoleAdapter
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ConversionPreview ¶
type ConversionPreview struct {
Original *RBACPolicy `json:"original"`
Success bool `json:"success"`
CELExpression string `json:"celExpression,omitempty"`
ResourceType string `json:"resourceType,omitempty"`
ResourceID string `json:"resourceId,omitempty"`
PolicyName string `json:"policyName,omitempty"`
Error string `json:"error,omitempty"`
}
ConversionPreview represents a preview of policy conversion
type Logger ¶
type Logger interface {
Info(msg string, fields ...interface{})
Warn(msg string, fields ...interface{})
Error(msg string, fields ...interface{})
}
Logger interface for migration logging
type MigrationConfig ¶
type MigrationConfig struct {
// BatchSize for processing policies
BatchSize int
// DryRun mode - log but don't persist
DryRun bool
// PreserveOriginal keeps RBAC policies after migration
PreserveOriginal bool
// DefaultNamespace for migrated policies
DefaultNamespace string
// DefaultPriority for migrated policies
DefaultPriority int
}
MigrationConfig configures the migration service
func DefaultMigrationConfig ¶
func DefaultMigrationConfig() MigrationConfig
DefaultMigrationConfig returns default configuration
type MigrationError ¶
type MigrationError struct {
PolicyIndex int `json:"policyIndex"`
Subject string `json:"subject"`
Resource string `json:"resource"`
Error string `json:"error"`
}
MigrationError represents an error during migration
type MigrationPolicyRepoAdapter ¶
type MigrationPolicyRepoAdapter struct {
// contains filtered or unexported fields
}
MigrationPolicyRepoAdapter adapts the permissions storage.Repository to migration.PolicyRepository
type MigrationResult ¶
type MigrationResult struct {
TotalPolicies int `json:"totalPolicies"`
MigratedPolicies int `json:"migratedPolicies"`
SkippedPolicies int `json:"skippedPolicies"`
FailedPolicies int `json:"failedPolicies"`
Errors []MigrationError `json:"errors,omitempty"`
ConvertedPolicies []*core.Policy `json:"convertedPolicies,omitempty"`
StartedAt time.Time `json:"startedAt"`
CompletedAt time.Time `json:"completedAt"`
DryRun bool `json:"dryRun"`
}
MigrationResult represents the result of a migration operation
type NoOpLogger ¶
type NoOpLogger struct{}
NoOpLogger is a logger that does nothing (for testing)
func (*NoOpLogger) Error ¶
func (l *NoOpLogger) Error(msg string, fields ...interface{})
func (*NoOpLogger) Info ¶
func (l *NoOpLogger) Info(msg string, fields ...interface{})
func (*NoOpLogger) Warn ¶
func (l *NoOpLogger) Warn(msg string, fields ...interface{})
type PolicyRepository ¶
type PolicyRepository interface {
CreatePolicy(ctx context.Context, policy *core.Policy) error
GetPoliciesByResourceType(ctx context.Context, appID, envID xid.ID, userOrgID *xid.ID, resourceType string) ([]*core.Policy, error)
}
PolicyRepository interface for storing migrated policies
type RBACAdapterConfig ¶
type RBACAdapterConfig struct {
RBACService *rbac.Service
RoleRepo rbac.RoleRepository
PermissionRepo rbac.PermissionRepository
RolePermRepo rbac.RolePermissionRepository
PolicyRepo rbac.PolicyRepository
}
RBACAdapterConfig configures the RBAC adapter
type RBACMigrationService ¶
type RBACMigrationService struct {
// contains filtered or unexported fields
}
RBACMigrationService handles migration from the legacy RBAC system to the new CEL-based permissions system
func NewRBACMigrationService ¶
func NewRBACMigrationService( policyRepo PolicyRepository, rbacService RBACService, logger Logger, config MigrationConfig, ) *RBACMigrationService
NewRBACMigrationService creates a new RBAC migration service
func (*RBACMigrationService) ConvertPolicy ¶
func (s *RBACMigrationService) ConvertPolicy( ctx context.Context, rbacPolicy *RBACPolicy, appID, envID xid.ID, userOrgID *xid.ID, createdBy xid.ID, ) (*core.Policy, error)
ConvertPolicy converts a single RBAC policy to a CEL policy
func (*RBACMigrationService) MigrateAll ¶
func (s *RBACMigrationService) MigrateAll(ctx context.Context, appID, envID xid.ID, userOrgID *xid.ID, createdBy xid.ID) (*MigrationResult, error)
MigrateAll migrates all RBAC policies to the permissions system
func (*RBACMigrationService) MigrateRoles ¶
func (s *RBACMigrationService) MigrateRoles(ctx context.Context, appID, envID xid.ID, createdBy xid.ID) (*MigrationResult, error)
MigrateRoles migrates role-based permissions to policies
func (*RBACMigrationService) PreviewConversion ¶
func (s *RBACMigrationService) PreviewConversion(ctx context.Context, rbacPolicy *RBACPolicy) (*ConversionPreview, error)
PreviewConversion previews the conversion of an RBAC policy without storing
type RBACPolicy ¶
type RBACPolicy struct {
Subject string `json:"subject"` // e.g., "user", "role:admin"
Actions []string `json:"actions"` // e.g., ["read", "write"]
Resource string `json:"resource"` // e.g., "project:*", "document:123"
Condition string `json:"condition"` // e.g., "owner = true"
}
RBACPolicy represents a legacy RBAC policy
type RBACService ¶
type RBACService interface {
// GetAllPolicies returns all RBAC policies
GetAllPolicies(ctx context.Context) ([]*RBACPolicy, error)
// GetRoles returns all roles for an app and environment
GetRoles(ctx context.Context, appID, envID xid.ID) ([]*schema.Role, error)
// GetRolePermissions returns permissions for a role
GetRolePermissions(ctx context.Context, roleID xid.ID) ([]*schema.Permission, error)
}
RBACService interface for reading existing RBAC data
type RBACServiceAdapter ¶
type RBACServiceAdapter struct {
// contains filtered or unexported fields
}
RBACServiceAdapter adapts the core rbac.Service to the migration.RBACService interface
func NewRBACServiceAdapter ¶
func NewRBACServiceAdapter(cfg RBACAdapterConfig) *RBACServiceAdapter
NewRBACServiceAdapter creates a new RBAC service adapter
func (*RBACServiceAdapter) AddPolicy ¶
func (a *RBACServiceAdapter) AddPolicy(policy *RBACPolicy)
AddPolicy adds a policy to the in-memory list (for testing or manual policies)
func (*RBACServiceAdapter) ClearPolicies ¶
func (a *RBACServiceAdapter) ClearPolicies()
ClearPolicies clears the in-memory policy list
func (*RBACServiceAdapter) GetAllAppPermissions ¶
func (a *RBACServiceAdapter) GetAllAppPermissions(ctx context.Context, appID xid.ID) ([]*schema.Permission, error)
GetAllAppPermissions returns all permissions for an app
func (*RBACServiceAdapter) GetAllPolicies ¶
func (a *RBACServiceAdapter) GetAllPolicies(ctx context.Context) ([]*RBACPolicy, error)
GetAllPolicies returns all RBAC policies
func (*RBACServiceAdapter) GetOrgRoles ¶
func (a *RBACServiceAdapter) GetOrgRoles(ctx context.Context, orgID, envID xid.ID) ([]*schema.Role, error)
GetOrgRoles returns all roles for an organization and environment
func (*RBACServiceAdapter) GetRolePermissions ¶
func (a *RBACServiceAdapter) GetRolePermissions(ctx context.Context, roleID xid.ID) ([]*schema.Permission, error)
GetRolePermissions returns permissions for a role
type UserRoleAdapter ¶
type UserRoleAdapter struct {
// contains filtered or unexported fields
}
UserRoleAdapter provides user role operations for attribute resolution
func NewUserRoleAdapter ¶
func NewUserRoleAdapter( userRoleRepo rbac.UserRoleRepository, roleRepo rbac.RoleRepository, rolePermRepo rbac.RolePermissionRepository, ) *UserRoleAdapter
NewUserRoleAdapter creates a new user role adapter
func (*UserRoleAdapter) GetUserPermissions ¶
func (a *UserRoleAdapter) GetUserPermissions(ctx context.Context, userID, orgID xid.ID) ([]string, error)
GetUserPermissions returns permission names for a user based on their roles
func (*UserRoleAdapter) GetUserRoles ¶
GetUserRoles returns role names for a user in an organization
Source Files