role

package
v1.5.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 1, 2026 License: Apache-2.0 Imports: 4 Imported by: 1

Documentation

Overview

Package role defines the Role entity and its store interface for RBAC.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type ListFilter 

type ListFilter struct {
	TenantID        string  `json:"tenant_id,omitempty"`
	NamespacePath   *string `json:"namespace_path,omitempty"`
	NamespacePrefix string  `json:"namespace_prefix,omitempty"`
	IsSystem        *bool   `json:"is_system,omitempty"`
	IsDefault       *bool   `json:"is_default,omitempty"`
	ParentSlug      *string `json:"parent_slug,omitempty"`
	Search          string  `json:"search,omitempty"`
	Limit           int     `json:"limit,omitempty"`
	Offset          int     `json:"offset,omitempty"`
}

ListFilter contains filters for listing roles.

NamespacePath does an exact-match filter; NamespacePrefix matches all descendants under a path (e.g. "engineering/" matches "engineering", "engineering/platform", "engineering/platform/sre").

type Role 

type Role struct {
	ID            id.RoleID      `json:"id" db:"id"`
	TenantID      string         `json:"tenant_id" db:"tenant_id"`
	NamespacePath string         `json:"namespace_path,omitempty" db:"namespace_path"`
	AppID         string         `json:"app_id" db:"app_id"`
	Name          string         `json:"name" db:"name"`
	Description   string         `json:"description,omitempty" db:"description"`
	Slug          string         `json:"slug" db:"slug"`
	IsSystem      bool           `json:"is_system" db:"is_system"`
	IsDefault     bool           `json:"is_default" db:"is_default"`
	ParentSlug    string         `json:"parent_slug,omitempty" db:"parent_slug"`
	MaxMembers    int            `json:"max_members,omitempty" db:"max_members"`
	Metadata      map[string]any `json:"metadata,omitempty" db:"metadata"`
	CreatedAt     time.Time      `json:"created_at" db:"created_at"`
	UpdatedAt     time.Time      `json:"updated_at" db:"updated_at"`
}

Role represents an authorization role that can be assigned to subjects.

Inheritance is expressed by ParentSlug, the slug of another role in the same tenant and namespace. Slugs are stable, human-readable, and unique per (tenant_id, namespace_path, slug) — making role hierarchies declarable in source-controlled config without knowing typeids upfront.

NamespacePath locates the role within the tenant's namespace tree (e.g. "engineering/platform"). Empty string is the tenant root. Resolution at Check time considers a subject's roles at the request's namespace and every ancestor of that namespace (cascading scope inheritance).

type Store 

type Store interface {
	// CreateRole persists a new role.
	CreateRole(ctx context.Context, r *Role) error

	// GetRole retrieves a role by ID.
	GetRole(ctx context.Context, roleID id.RoleID) (*Role, error)

	// GetRoleBySlug retrieves a role by tenant, namespace, and slug.
	// Slugs are unique per (tenant_id, namespace_path); the namespace
	// argument disambiguates roles that share the same slug across
	// different namespace scopes.
	GetRoleBySlug(ctx context.Context, tenantID, namespacePath, slug string) (*Role, error)

	// UpdateRole persists changes to a role.
	UpdateRole(ctx context.Context, r *Role) error

	// DeleteRole removes a role by ID.
	DeleteRole(ctx context.Context, roleID id.RoleID) error

	// ListRoles returns roles matching the filter.
	ListRoles(ctx context.Context, filter *ListFilter) ([]*Role, error)

	// CountRoles returns the number of roles matching the filter.
	CountRoles(ctx context.Context, filter *ListFilter) (int64, error)

	// ListRolePermissions returns the full Permission records granted to a
	// role, resolved via JOIN against warden_permissions. Returning the full
	// records avoids the engine's previous N+1 GetPermission loop in the
	// RBAC evaluator.
	ListRolePermissions(ctx context.Context, roleID id.RoleID) ([]*permission.Permission, error)

	// AttachPermission links a permission to a role by natural key.
	// The (NamespacePath, Name) pair uniquely identifies a permission within
	// the role's tenant.
	AttachPermission(ctx context.Context, roleID id.RoleID, ref permission.Ref) error

	// DetachPermission removes a permission grant from a role.
	DetachPermission(ctx context.Context, roleID id.RoleID, ref permission.Ref) error

	// SetRolePermissions replaces all permission grants for a role.
	SetRolePermissions(ctx context.Context, roleID id.RoleID, refs []permission.Ref) error

	// ListChildRoles returns direct child roles of a parent within a tenant.
	// Children are inherently per-tenant since slugs are unique per tenant.
	ListChildRoles(ctx context.Context, tenantID, parentSlug string) ([]*Role, error)

	// DeleteRolesByTenant removes all roles for a tenant.
	DeleteRolesByTenant(ctx context.Context, tenantID string) error
}

Store defines persistence operations for roles.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.