oslstats/internal/db/permission.go

package db

import (
	"context"
	"database/sql"

	"git.haelnorr.com/h/oslstats/internal/permissions"
	"github.com/pkg/errors"
	"github.com/uptrace/bun"
)

type Permission struct {
	bun.BaseModel `bun:"table:permissions,alias:p"`

	ID          int                    `bun:"id,pk,autoincrement"`
	Name        permissions.Permission `bun:"name,unique,notnull"`
	DisplayName string                 `bun:"display_name,notnull"`
	Description string                 `bun:"description"`
	Resource    string                 `bun:"resource,notnull"`
	Action      string                 `bun:"action,notnull"`
	IsSystem    bool                   `bun:"is_system,default:false"`
	CreatedAt   int64                  `bun:"created_at,notnull"`

	Roles []Role `bun:"m2m:role_permissions,join:Permission=Role"`
}

func (p Permission) isSystem() bool {
	return p.IsSystem
}

// GetPermissionByName queries the database for a permission matching the given name
// Returns nil, nil if no permission is found
func GetPermissionByName(ctx context.Context, tx bun.Tx, name permissions.Permission) (*Permission, error) {
	if name == "" {
		return nil, errors.New("name cannot be empty")
	}

	perm := new(Permission)
	err := tx.NewSelect().
		Model(perm).
		Where("name = ?", name).
		Limit(1).
		Scan(ctx)
	if err != nil {
		if errors.Is(err, sql.ErrNoRows) {
			return nil, nil
		}
		return nil, errors.Wrap(err, "tx.NewSelect")
	}
	return perm, nil
}

// GetPermissionByID queries the database for a permission matching the given ID
// Returns nil, nil if no permission is found
func GetPermissionByID(ctx context.Context, tx bun.Tx, id int) (*Permission, error) {
	if id <= 0 {
		return nil, errors.New("id must be positive")
	}

	perm := new(Permission)
	err := tx.NewSelect().
		Model(perm).
		Where("id = ?", id).
		Limit(1).
		Scan(ctx)
	if err != nil {
		if errors.Is(err, sql.ErrNoRows) {
			return nil, nil
		}
		return nil, errors.Wrap(err, "tx.NewSelect")
	}
	return perm, nil
}

// GetPermissionsByResource queries for all permissions for a given resource
func GetPermissionsByResource(ctx context.Context, tx bun.Tx, resource string) ([]*Permission, error) {
	if resource == "" {
		return nil, errors.New("resource cannot be empty")
	}

	perms := []*Permission{}
	err := tx.NewSelect().
		Model(&perms).
		Where("resource = ?", resource).
		Order("action ASC").
		Scan(ctx)
	if err != nil && !errors.Is(err, sql.ErrNoRows) {
		return nil, errors.Wrap(err, "tx.NewSelect")
	}
	return perms, nil
}

// GetPermissionsByIDs queries for permissions matching the given IDs
func GetPermissionsByIDs(ctx context.Context, tx bun.Tx, ids []int) ([]*Permission, error) {
	if len(ids) == 0 {
		return []*Permission{}, nil
	}

	var perms []*Permission
	err := tx.NewSelect().
		Model(&perms).
		Where("id IN (?)", bun.In(ids)).
		Scan(ctx)
	if err != nil && errors.Is(err, sql.ErrNoRows) {
		return nil, errors.Wrap(err, "tx.NewSelect")
	}
	return perms, nil
}

// ListAllPermissions returns all permissions
func ListAllPermissions(ctx context.Context, tx bun.Tx) ([]*Permission, error) {
	var perms []*Permission
	err := tx.NewSelect().
		Model(&perms).
		Order("resource ASC", "action ASC").
		Scan(ctx)
	if err != nil && errors.Is(err, sql.ErrNoRows) {
		return nil, errors.Wrap(err, "tx.NewSelect")
	}
	return perms, nil
}

// CreatePermission creates a new permission
func CreatePermission(ctx context.Context, tx bun.Tx, perm *Permission) error {
	if perm == nil {
		return errors.New("permission cannot be nil")
	}
	if perm.Name == "" {
		return errors.New("name cannot be empty")
	}
	if perm.DisplayName == "" {
		return errors.New("display name cannot be empty")
	}
	if perm.Resource == "" {
		return errors.New("resource cannot be empty")
	}
	if perm.Action == "" {
		return errors.New("action cannot be empty")
	}

	_, err := tx.NewInsert().
		Model(perm).
		Returning("id").
		Exec(ctx)
	if err != nil {
		return errors.Wrap(err, "tx.NewInsert")
	}

	return nil
}

// DeletePermission deletes a permission (checks IsSystem protection)
func DeletePermission(ctx context.Context, tx bun.Tx, id int) error {
	if id <= 0 {
		return errors.New("id must be positive")
	}
	return DeleteWithProtection[Permission](ctx, tx, id)
}