rbac/rbac.go

package rbac

import (
	"database/sql"
)

// Role in the system
type Role struct {
	ID   int    `json:"id"`
	Name string `json:"name"`
}

// A capability is an action that can be performed in the system.
type Capability struct {
	ID          int    `json:"id"`
	Name        string `json:"name"`
	Description string `json:"description"`
}

// Links a user to a role.
type UserRole struct {
	UserID int `json:"user_id"`
	RoleID int `json:"role_id"`
}

// A role can have many capabilities.
type RoleCapability struct {
	RoleID       int `json:"role_id"`
	CapabilityID int `json:"capability_id"`
}

// RbacStore is an interface for interacting with the RBAC data store.
type RbacStore interface {
	GetUserRoles(userID int) ([]Role, error)
	GetRoleCapabilities(roleID int) ([]Capability, error)
	HasCapability(userID int, capabilityName string) (bool, error)
}

// SqlRbacStore implements the RbacStore interface using SQLite.
type SqlRbacStore struct {
	db *sql.DB
}

func NewSqlRbacStore(db *sql.DB) (*SqlRbacStore, error) {
	s := &SqlRbacStore{db: db}
	err := s.createTablesIfMissing()
	if err != nil {
		return nil, err
	}
	return s, nil
}

func (s *SqlRbacStore) createTablesIfMissing() (err error) {
	_, err = s.db.Exec(`CREATE TABLE IF NOT EXISTS roles (
        id INTEGER PRIMARY KEY AUTOINCREMENT,
        name TEXT NOT NULL
    )`)
	if err != nil {
		return
	}
	_, err = s.db.Exec(`CREATE TABLE IF NOT EXISTS capabilities (
        id INTEGER PRIMARY KEY AUTOINCREMENT,
        name TEXT NOT NULL,
        description TEXT
    )`)
	if err != nil {
		return
	}
	_, err = s.db.Exec(`CREATE TABLE IF NOT EXISTS user_roles (
        user_id INTEGER NOT NULL,
        role_id INTEGER NOT NULL,
        PRIMARY KEY (user_id, role_id)
    )`)
	if err != nil {
		return
	}
	_, err = s.db.Exec(`CREATE TABLE IF NOT EXISTS role_capabilities (
        role_id INTEGER NOT NULL,
        capability_id INTEGER NOT NULL,
        PRIMARY KEY (role_id, capability_id)
    )`)
	return
}

func (s *SqlRbacStore) GetUserRoles(userID int) ([]Role, error) {
	var roles []Role
	rows, err := s.db.Query("SELECT r.id, r.name FROM roles r JOIN user_roles ur ON r.id = ur.role_id WHERE ur.user_id = ?", userID)
	if err != nil {
		return nil, err
	}
	defer rows.Close()
	for rows.Next() {
		var role Role
		err = rows.Scan(&role.ID, &role.Name)
		if err != nil {
			return nil, err
		}
		roles = append(roles, role)
	}
	return roles, nil
}

func (s *SqlRbacStore) GetRoleCapabilities(roleID int) ([]Capability, error) {
	var capabilities []Capability
	rows, err := s.db.Query("SELECT c.id, c.name, c.description FROM capabilities c JOIN role_capabilities rc ON c.id = rc.capability_id WHERE rc.role_id = ?", roleID)
	if err != nil {
		return nil, err
	}
	defer rows.Close()
	for rows.Next() {
		var capability Capability
		err = rows.Scan(&capability.ID, &capability.Name, &capability.Description)
		if err != nil {
			return nil, err
		}
		capabilities = append(capabilities, capability)
	}
	return capabilities, nil
}

func (s *SqlRbacStore) HasCapability(userID int, capabilityName string) (bool, error) {
	var has bool
	err := s.db.QueryRow("SELECT EXISTS(SELECT 1 FROM role_capabilities rc JOIN user_roles ur ON rc.role_id = ur.role_id WHERE ur.user_id = ? AND rc.capability_id = (SELECT id FROM capabilities WHERE name = ?))", userID, capabilityName).Scan(&has)
	if err != nil {
		return false, err
	}
	return has, nil
}

type RbacService struct {
	store RbacStore
}

func NewRbacService(store RbacStore) *RbacService {
	return &RbacService{store: store}
}

func (s *RbacService) GetUserRoles(userID int) ([]Role, error) {
	return s.store.GetUserRoles(userID)
}

func (s *RbacService) GetRoleCapabilities(roleID int) ([]Capability, error) {
	return s.store.GetRoleCapabilities(roleID)
}

func (s *RbacService) HasCapability(userID int, capabilityName string) (bool, error) {
	return s.store.HasCapability(userID, capabilityName)
}