template-monorepo/internal/logic/permission/reload_policy_logic.go

package permission

import (
	"context"
	"time"

	"gateway/internal/svc"
	"gateway/internal/types"

	"github.com/zeromicro/go-zero/core/logx"
)

type ReloadPolicyLogic struct {
	logx.Logger
	ctx    context.Context
	svcCtx *svc.ServiceContext
}

// NewReloadPolicyLogic returns the policy reload logic.
func NewReloadPolicyLogic(ctx context.Context, svcCtx *svc.ServiceContext) *ReloadPolicyLogic {
	return &ReloadPolicyLogic{
		Logger: logx.WithContext(ctx),
		ctx:    ctx,
		svcCtx: svcCtx,
	}
}

// ReloadPolicy forces a Casbin LoadPolicy on this pod and broadcasts a
// Pub/Sub event so other pods follow. Empty tenant_id reloads the
// caller's tenant; "*" reloads every tenant.
func (l *ReloadPolicyLogic) ReloadPolicy(req *types.PolicyReloadReq) (*types.PolicyReloadData, error) {
	if l.svcCtx.PermissionRBAC == nil {
		return nil, errb.SysNotImplemented("casbin enforcer not configured")
	}
	tenant := req.TenantID
	if tenant == "" {
		actor, err := ActorFromContext(l.ctx)
		if err != nil {
			return nil, errb.AuthUnauthorized(err.Error()).WithCause(err)
		}
		tenant = actor.TenantID
	}
	if tenant == "*" {
		if err := l.svcCtx.PermissionRBAC.LoadAllPolicies(l.ctx); err != nil {
			return nil, err
		}
	} else if err := l.svcCtx.PermissionRBAC.LoadPolicy(l.ctx, tenant); err != nil {
		return nil, err
	}
	if err := l.svcCtx.PermissionRBAC.BroadcastReload(l.ctx, tenant); err != nil {
		l.Errorf("permission: broadcast reload tenant=%s: %v", tenant, err)
	}
	return &types.PolicyReloadData{
		Tenant: tenant,
		TS:     time.Now().UnixMilli(),
	}, nil
}
feat(permission): add RBAC module with Casbin enforcement and policy reload - Multi-tenant RBAC: permission catalog, roles, role-permission mapping, user-role assignment, and external IdP role mapping (zitadel/ldap/scim). - Casbin enforcer with Redis-backed adapter and Pub/Sub reload for multi-instance policy sync; HTTP middleware enforces (tenant, role, path, method) with platform admin bypass. - /api/v1/permissions routes: catalog, me, policy/reload, roles CRUD, role permissions, user roles, role mappings. - New error scope (31) for Permission and biz code descriptions. - Wire Permission module into ServiceContext, config, mongo-index, and add cmd/permission-seed CLI plus etc/rbac.conf model. - Redis client gains lazy PubSubClient helper (go-zero wrapper lacks Subscribe). - Rewrite internal/model/member/README to cover Tenant/Member/Identity. Co-authored-by: Cursor <cursoragent@cursor.com> 2026-05-21 08:47:35 +00:00			`package permission`

			`import (`
			`"context"`
			`"time"`

			`"gateway/internal/svc"`
			`"gateway/internal/types"`

			`"github.com/zeromicro/go-zero/core/logx"`
			`)`

			`type ReloadPolicyLogic struct {`
			`logx.Logger`
			`ctx context.Context`
			`svcCtx *svc.ServiceContext`
			`}`

			`// NewReloadPolicyLogic returns the policy reload logic.`
			`func NewReloadPolicyLogic(ctx context.Context, svcCtx svc.ServiceContext) ReloadPolicyLogic {`
			`return &ReloadPolicyLogic{`
			`Logger: logx.WithContext(ctx),`
			`ctx: ctx,`
			`svcCtx: svcCtx,`
			`}`
			`}`

			`// ReloadPolicy forces a Casbin LoadPolicy on this pod and broadcasts a`
			`// Pub/Sub event so other pods follow. Empty tenant_id reloads the`
			`// caller's tenant; "*" reloads every tenant.`
			`func (l ReloadPolicyLogic) ReloadPolicy(req types.PolicyReloadReq) (*types.PolicyReloadData, error) {`
			`if l.svcCtx.PermissionRBAC == nil {`
			`return nil, errb.SysNotImplemented("casbin enforcer not configured")`
			`}`
			`tenant := req.TenantID`
			`if tenant == "" {`
			`actor, err := ActorFromContext(l.ctx)`
			`if err != nil {`
			`return nil, errb.AuthUnauthorized(err.Error()).WithCause(err)`
			`}`
			`tenant = actor.TenantID`
			`}`
			`if tenant == "*" {`
			`if err := l.svcCtx.PermissionRBAC.LoadAllPolicies(l.ctx); err != nil {`
			`return nil, err`
			`}`
			`} else if err := l.svcCtx.PermissionRBAC.LoadPolicy(l.ctx, tenant); err != nil {`
			`return nil, err`
			`}`
			`if err := l.svcCtx.PermissionRBAC.BroadcastReload(l.ctx, tenant); err != nil {`
			`l.Errorf("permission: broadcast reload tenant=%s: %v", tenant, err)`
			`}`
			`return &types.PolicyReloadData{`
			`Tenant: tenant,`
			`TS: time.Now().UnixMilli(),`
			`}, nil`
			`}`