h/oslstats
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rbac system first stage

Browse Source
This commit is contained in:
Haelnorr
2026-02-03 21:37:06 +11:00
parent 24bbc5337b
commit d2b1a252ea
38 changed files with 1966 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
internal/rbac/cache_middleware.go Normal file
View File

@@ -0,0 +1,95 @@
package rbac
import (
"context"
"net/http"
"time"
"git.haelnorr.com/h/golib/hws"
"git.haelnorr.com/h/oslstats/internal/db"
"git.haelnorr.com/h/oslstats/internal/permissions"
"git.haelnorr.com/h/oslstats/internal/roles"
"git.haelnorr.com/h/oslstats/pkg/contexts"
"github.com/pkg/errors"
)
// LoadPermissionsMiddleware loads user permissions into context after authentication
// MUST run AFTER auth.Authenticate() middleware
func (c *Checker) LoadPermissionsMiddleware() hws.Middleware {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
user := db.CurrentUser(r.Context())
if user == nil {
// No authenticated user - continue without permissions
next.ServeHTTP(w, r)
return
}
// Start transaction for loading permissions
ctx, cancel := context.WithTimeout(r.Context(), 15*time.Second)
defer cancel()
tx, err := c.conn.BeginTx(ctx, nil)
if err != nil {
// Log but don't block - permission checks will fail gracefully
c.s.LogError(hws.HWSError{
Message: "Failed to start database transaction",
Error: errors.Wrap(err, "c.conn.BeginTx"),
Level: hws.ErrorERROR,
})
next.ServeHTTP(w, r)
return
}
defer func() { _ = tx.Rollback() }()
// Load user's roles_ and permissions
roles_, err := user.GetRoles(ctx, tx)
if err != nil {
c.s.LogError(hws.HWSError{
Message: "Failed to get user roles",
Error: errors.Wrap(err, "user.GetRoles"),
Level: hws.ErrorERROR,
})
next.ServeHTTP(w, r)
return
}
perms, err := user.GetPermissions(ctx, tx)
if err != nil {
c.s.LogError(hws.HWSError{
Message: "Failed to get user permissions",
Error: errors.Wrap(err, "user.GetPermissions"),
Level: hws.ErrorERROR,
})
next.ServeHTTP(w, r)
return
}
_ = tx.Commit() // read only transaction
// Build permission cache
cache := &contexts.PermissionCache{
Permissions: make(map[permissions.Permission]bool),
Roles: make(map[roles.Role]bool),
}
// Check for wildcard permission
hasWildcard := false
for _, perm := range perms {
cache.Permissions[perm.Name] = true
if perm.Name == permissions.Wildcard {
hasWildcard = true
}
}
cache.HasWildcard = hasWildcard
for _, role := range roles_ {
cache.Roles[role.Name] = true
}
// Add cache to context (type-safe)
ctx = context.WithValue(ctx, contexts.PermissionCacheKey, cache)
next.ServeHTTP(w, r.WithContext(ctx))
})
}
}

108
internal/rbac/checker.go Normal file
View File

@@ -0,0 +1,108 @@
package rbac
import (
"context"
"git.haelnorr.com/h/golib/hws"
"git.haelnorr.com/h/oslstats/internal/db"
"git.haelnorr.com/h/oslstats/internal/permissions"
"git.haelnorr.com/h/oslstats/internal/roles"
"git.haelnorr.com/h/oslstats/pkg/contexts"
"github.com/pkg/errors"
"github.com/uptrace/bun"
)
type Checker struct {
conn *bun.DB
s *hws.Server
}
func NewChecker(conn *bun.DB, s *hws.Server) (*Checker, error) {
if conn == nil || s == nil {
return nil, errors.New("arguments cannot be nil")
}
return &Checker{conn: conn, s: s}, nil
}
// UserHasPermission checks if user has a specific permission (uses cache)
func (c *Checker) UserHasPermission(ctx context.Context, user *db.User, permission permissions.Permission) (bool, error) {
if user == nil {
return false, nil
}
// Try cache first
cache := contexts.Permissions(ctx)
if cache != nil {
if cache.HasWildcard {
return true, nil
}
if has, exists := cache.Permissions[permission]; exists {
return has, nil
}
}
// Fallback to database
tx, err := c.conn.BeginTx(ctx, nil)
if err != nil {
return false, errors.Wrap(err, "conn.BeginTx")
}
defer func() { _ = tx.Rollback() }()
has, err := user.HasPermission(ctx, tx, permission)
if err != nil {
return false, err
}
return has, nil
}
// UserHasRole checks if user has a specific role (uses cache)
func (c *Checker) UserHasRole(ctx context.Context, user *db.User, role roles.Role) (bool, error) {
if user == nil {
return false, nil
}
cache := contexts.Permissions(ctx)
if cache != nil {
if has, exists := cache.Roles[role]; exists {
return has, nil
}
}
// Fallback to database
tx, err := c.conn.BeginTx(ctx, nil)
if err != nil {
return false, errors.Wrap(err, "conn.BeginTx")
}
defer func() { _ = tx.Rollback() }()
return user.HasRole(ctx, tx, role)
}
// UserHasAnyPermission checks if user has ANY of the given permissions
func (c *Checker) UserHasAnyPermission(ctx context.Context, user *db.User, permissions ...permissions.Permission) (bool, error) {
for _, perm := range permissions {
has, err := c.UserHasPermission(ctx, user, perm)
if err != nil {
return false, err
}
if has {
return true, nil
}
}
return false, nil
}
// UserHasAllPermissions checks if user has ALL of the given permissions
func (c *Checker) UserHasAllPermissions(ctx context.Context, user *db.User, permissions ...permissions.Permission) (bool, error) {
for _, perm := range permissions {
has, err := c.UserHasPermission(ctx, user, perm)
if err != nil {
return false, err
}
if !has {
return false, nil
}
}
return true, nil
}

22
internal/rbac/config.go Normal file
View File

@@ -0,0 +1,22 @@
// Package rbac provides Role-Based Access Control functionality
package rbac
import (
"errors"
"git.haelnorr.com/h/golib/env"
)
type Config struct {
AdminDiscordID string // ENV ADMIN_DISCORD_ID: Discord ID to grant admin role on first login (required)
}
func ConfigFromEnv() (any, error) {
cfg := &Config{
AdminDiscordID: env.String("ADMIN_DISCORD_ID", ""),
}
if cfg.AdminDiscordID == "" {
return nil, errors.New("env var not set: ADMIN_DISCORD_ID")
}
return cfg, nil
}

41
internal/rbac/ezconf.go Normal file
View File

@@ -0,0 +1,41 @@
package rbac
import (
"runtime"
"strings"
)
// EZConfIntegration provides integration with ezconf for automatic configuration
type EZConfIntegration struct {
configFunc func() (any, error)
name string
}
// PackagePath returns the path to the config package for source parsing
func (e EZConfIntegration) PackagePath() string {
_, filename, _, _ := runtime.Caller(0)
// Return directory of this file
return filename[:len(filename)-len("/ezconf.go")]
}
// ConfigFunc returns the ConfigFromEnv function for ezconf
func (e EZConfIntegration) ConfigFunc() func() (any, error) {
return func() (any, error) {
return e.configFunc()
}
}
// Name returns the name to use when registering with ezconf
func (e EZConfIntegration) Name() string {
return strings.ToLower(e.name)
}
// GroupName returns the display name for grouping environment variables
func (e EZConfIntegration) GroupName() string {
return e.name
}
// NewEZConfIntegration creates a new EZConf integration helper
func NewEZConfIntegration() EZConfIntegration {
return EZConfIntegration{name: "RBAC", configFunc: ConfigFromEnv}
}

101
internal/rbac/protection_middleware.go Normal file
View File

@@ -0,0 +1,101 @@
package rbac
import (
"net/http"
"git.haelnorr.com/h/golib/cookies"
"git.haelnorr.com/h/golib/hws"
"git.haelnorr.com/h/oslstats/internal/db"
"git.haelnorr.com/h/oslstats/internal/permissions"
"git.haelnorr.com/h/oslstats/internal/roles"
)
// RequirePermission creates middleware that requires a specific permission
func (c *Checker) RequirePermission(server *hws.Server, permission permissions.Permission) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
user := db.CurrentUser(r.Context())
if user == nil {
// Not logged in - redirect to login with page_from
cookies.SetPageFrom(w, r, r.URL.Path)
http.Redirect(w, r, "/login", http.StatusSeeOther)
return
}
has, err := c.UserHasPermission(r.Context(), user, permission)
if err != nil {
// Log error and return 500
server.ThrowError(w, r, hws.HWSError{
StatusCode: http.StatusInternalServerError,
Message: "Permission check failed",
Error: err,
Level: hws.ErrorERROR,
RenderErrorPage: true,
})
return
}
if !has {
// User lacks permission - return 403
server.ThrowError(w, r, hws.HWSError{
StatusCode: http.StatusForbidden,
Message: "You don't have permission to access this resource",
Error: nil,
Level: hws.ErrorDEBUG,
RenderErrorPage: true,
})
return
}
next.ServeHTTP(w, r)
})
}
}
// RequireRole creates middleware that requires a specific role
func (c *Checker) RequireRole(server *hws.Server, role roles.Role) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
user := db.CurrentUser(r.Context())
if user == nil {
// Not logged in - redirect to login
cookies.SetPageFrom(w, r, r.URL.Path)
http.Redirect(w, r, "/login", http.StatusSeeOther)
return
}
has, err := c.UserHasRole(r.Context(), user, role)
if err != nil {
// Log error and return 500
hwserr := hws.HWSError{
StatusCode: http.StatusInternalServerError,
Message: "Role check failed",
Error: err,
Level: hws.ErrorERROR,
RenderErrorPage: true,
}
server.ThrowError(w, r, hwserr)
return
}
if !has {
// User lacks role - return 403
server.ThrowError(w, r, hws.HWSError{
StatusCode: http.StatusForbidden,
Message: "You don't have the required role to access this resource",
Error: nil,
Level: hws.ErrorDEBUG,
RenderErrorPage: true,
})
return
}
next.ServeHTTP(w, r)
})
}
}
// RequireAdmin is a convenience middleware for admin-only routes
func (c *Checker) RequireAdmin(server *hws.Server) func(http.Handler) http.Handler {
return c.RequireRole(server, roles.Admin)
}