rbac system first stage
This commit is contained in:
95
internal/rbac/cache_middleware.go
Normal file
95
internal/rbac/cache_middleware.go
Normal file
@@ -0,0 +1,95 @@
|
||||
package rbac
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"git.haelnorr.com/h/golib/hws"
|
||||
"git.haelnorr.com/h/oslstats/internal/db"
|
||||
"git.haelnorr.com/h/oslstats/internal/permissions"
|
||||
"git.haelnorr.com/h/oslstats/internal/roles"
|
||||
"git.haelnorr.com/h/oslstats/pkg/contexts"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
// LoadPermissionsMiddleware loads user permissions into context after authentication
|
||||
// MUST run AFTER auth.Authenticate() middleware
|
||||
func (c *Checker) LoadPermissionsMiddleware() hws.Middleware {
|
||||
return func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
user := db.CurrentUser(r.Context())
|
||||
|
||||
if user == nil {
|
||||
// No authenticated user - continue without permissions
|
||||
next.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
// Start transaction for loading permissions
|
||||
ctx, cancel := context.WithTimeout(r.Context(), 15*time.Second)
|
||||
defer cancel()
|
||||
tx, err := c.conn.BeginTx(ctx, nil)
|
||||
if err != nil {
|
||||
// Log but don't block - permission checks will fail gracefully
|
||||
c.s.LogError(hws.HWSError{
|
||||
Message: "Failed to start database transaction",
|
||||
Error: errors.Wrap(err, "c.conn.BeginTx"),
|
||||
Level: hws.ErrorERROR,
|
||||
})
|
||||
next.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
defer func() { _ = tx.Rollback() }()
|
||||
|
||||
// Load user's roles_ and permissions
|
||||
roles_, err := user.GetRoles(ctx, tx)
|
||||
if err != nil {
|
||||
c.s.LogError(hws.HWSError{
|
||||
Message: "Failed to get user roles",
|
||||
Error: errors.Wrap(err, "user.GetRoles"),
|
||||
Level: hws.ErrorERROR,
|
||||
})
|
||||
next.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
perms, err := user.GetPermissions(ctx, tx)
|
||||
if err != nil {
|
||||
c.s.LogError(hws.HWSError{
|
||||
Message: "Failed to get user permissions",
|
||||
Error: errors.Wrap(err, "user.GetPermissions"),
|
||||
Level: hws.ErrorERROR,
|
||||
})
|
||||
next.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
_ = tx.Commit() // read only transaction
|
||||
|
||||
// Build permission cache
|
||||
cache := &contexts.PermissionCache{
|
||||
Permissions: make(map[permissions.Permission]bool),
|
||||
Roles: make(map[roles.Role]bool),
|
||||
}
|
||||
|
||||
// Check for wildcard permission
|
||||
hasWildcard := false
|
||||
for _, perm := range perms {
|
||||
cache.Permissions[perm.Name] = true
|
||||
if perm.Name == permissions.Wildcard {
|
||||
hasWildcard = true
|
||||
}
|
||||
}
|
||||
cache.HasWildcard = hasWildcard
|
||||
|
||||
for _, role := range roles_ {
|
||||
cache.Roles[role.Name] = true
|
||||
}
|
||||
|
||||
// Add cache to context (type-safe)
|
||||
ctx = context.WithValue(ctx, contexts.PermissionCacheKey, cache)
|
||||
next.ServeHTTP(w, r.WithContext(ctx))
|
||||
})
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user