package rbac import ( "database/sql" ) // Role in the system type Role struct { ID int `json:"id"` Name string `json:"name"` } // A capability is an action that can be performed in the system. type Capability struct { ID int `json:"id"` Name string `json:"name"` Description string `json:"description"` } // Links a user to a role. type UserRole struct { UserID int `json:"user_id"` RoleID int `json:"role_id"` } // A role can have many capabilities. type RoleCapability struct { RoleID int `json:"role_id"` CapabilityID int `json:"capability_id"` } // RbacStore is an interface for interacting with the RBAC data store. type RbacStore interface { GetUserRoles(userID int) ([]Role, error) GetRoleCapabilities(roleID int) ([]Capability, error) HasCapability(userID int, capabilityName string) (bool, error) } // SqlRbacStore implements the RbacStore interface using SQLite. type SqlRbacStore struct { db *sql.DB } func NewSqlRbacStore(db *sql.DB) (*SqlRbacStore, error) { s := &SqlRbacStore{db: db} err := s.createTablesIfMissing() if err != nil { return nil, err } return s, nil } func (s *SqlRbacStore) createTablesIfMissing() (err error) { _, err = s.db.Exec(`CREATE TABLE IF NOT EXISTS roles ( id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL )`) if err != nil { return } _, err = s.db.Exec(`CREATE TABLE IF NOT EXISTS capabilities ( id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL, description TEXT )`) if err != nil { return } _, err = s.db.Exec(`CREATE TABLE IF NOT EXISTS user_roles ( user_id INTEGER NOT NULL, role_id INTEGER NOT NULL, PRIMARY KEY (user_id, role_id) )`) if err != nil { return } _, err = s.db.Exec(`CREATE TABLE IF NOT EXISTS role_capabilities ( role_id INTEGER NOT NULL, capability_id INTEGER NOT NULL, PRIMARY KEY (role_id, capability_id) )`) return } func (s *SqlRbacStore) GetUserRoles(userID int) ([]Role, error) { var roles []Role rows, err := s.db.Query("SELECT r.id, r.name FROM roles r JOIN user_roles ur ON r.id = ur.role_id WHERE ur.user_id = ?", userID) if err != nil { return nil, err } defer rows.Close() for rows.Next() { var role Role err = rows.Scan(&role.ID, &role.Name) if err != nil { return nil, err } roles = append(roles, role) } return roles, nil } func (s *SqlRbacStore) GetRoleCapabilities(roleID int) ([]Capability, error) { var capabilities []Capability rows, err := s.db.Query("SELECT c.id, c.name, c.description FROM capabilities c JOIN role_capabilities rc ON c.id = rc.capability_id WHERE rc.role_id = ?", roleID) if err != nil { return nil, err } defer rows.Close() for rows.Next() { var capability Capability err = rows.Scan(&capability.ID, &capability.Name, &capability.Description) if err != nil { return nil, err } capabilities = append(capabilities, capability) } return capabilities, nil } func (s *SqlRbacStore) HasCapability(userID int, capabilityName string) (bool, error) { var has bool err := s.db.QueryRow("SELECT EXISTS(SELECT 1 FROM role_capabilities rc JOIN user_roles ur ON rc.role_id = ur.role_id WHERE ur.user_id = ? AND rc.capability_id = (SELECT id FROM capabilities WHERE name = ?))", userID, capabilityName).Scan(&has) if err != nil { return false, err } return has, nil } type RbacService struct { store RbacStore } func NewRbacService(store RbacStore) *RbacService { return &RbacService{store: store} } func (s *RbacService) GetUserRoles(userID int) ([]Role, error) { return s.store.GetUserRoles(userID) } func (s *RbacService) GetRoleCapabilities(roleID int) ([]Capability, error) { return s.store.GetRoleCapabilities(roleID) } func (s *RbacService) HasCapability(userID int, capabilityName string) (bool, error) { return s.store.HasCapability(userID, capabilityName) }