h/oslstats
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d2b1a252eaf2372f84d26097e967d1641693adc9
oslstats/internal/rbac/cache_middleware.go
Haelnorr d2b1a252ea rbac system first stage
2026-02-03 21:37:06 +11:00

96 lines
2.5 KiB
Go
Raw Blame History

package rbac
import (
"context"
"net/http"
"time"
"git.haelnorr.com/h/golib/hws"
"git.haelnorr.com/h/oslstats/internal/db"
"git.haelnorr.com/h/oslstats/internal/permissions"
"git.haelnorr.com/h/oslstats/internal/roles"
"git.haelnorr.com/h/oslstats/pkg/contexts"
"github.com/pkg/errors"
)
// LoadPermissionsMiddleware loads user permissions into context after authentication
// MUST run AFTER auth.Authenticate() middleware
func (c *Checker) LoadPermissionsMiddleware() hws.Middleware {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
user := db.CurrentUser(r.Context())
if user == nil {
// No authenticated user - continue without permissions
next.ServeHTTP(w, r)
return
}
// Start transaction for loading permissions
ctx, cancel := context.WithTimeout(r.Context(), 15*time.Second)
defer cancel()
tx, err := c.conn.BeginTx(ctx, nil)
if err != nil {
// Log but don't block - permission checks will fail gracefully
c.s.LogError(hws.HWSError{
Message: "Failed to start database transaction",
Error: errors.Wrap(err, "c.conn.BeginTx"),
Level: hws.ErrorERROR,
})
next.ServeHTTP(w, r)
return
}
defer func() { _ = tx.Rollback() }()
// Load user's roles_ and permissions
roles_, err := user.GetRoles(ctx, tx)
if err != nil {
c.s.LogError(hws.HWSError{
Message: "Failed to get user roles",
Error: errors.Wrap(err, "user.GetRoles"),
Level: hws.ErrorERROR,
})
next.ServeHTTP(w, r)
return
}
perms, err := user.GetPermissions(ctx, tx)
if err != nil {
c.s.LogError(hws.HWSError{
Message: "Failed to get user permissions",
Error: errors.Wrap(err, "user.GetPermissions"),
Level: hws.ErrorERROR,
})
next.ServeHTTP(w, r)
return
}
_ = tx.Commit() // read only transaction
// Build permission cache
cache := &contexts.PermissionCache{
Permissions: make(map[permissions.Permission]bool),
Roles: make(map[roles.Role]bool),
}
// Check for wildcard permission
hasWildcard := false
for _, perm := range perms {
cache.Permissions[perm.Name] = true
if perm.Name == permissions.Wildcard {
hasWildcard = true
}
}
cache.HasWildcard = hasWildcard
for _, role := range roles_ {
cache.Roles[role.Name] = true
}
// Add cache to context (type-safe)
ctx = context.WithValue(ctx, contexts.PermissionCacheKey, cache)
next.ServeHTTP(w, r.WithContext(ctx))
})
}
}
Reference in New Issue View Git Blame Copy Permalink