digimon
/
template-monorepo
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
template-monorepo/internal/model/permission/domain/redis.go

55 lines
1.8 KiB
Go
Raw Permalink Normal View History

feat(permission): add RBAC module with Casbin enforcement and policy reload - Multi-tenant RBAC: permission catalog, roles, role-permission mapping, user-role assignment, and external IdP role mapping (zitadel/ldap/scim). - Casbin enforcer with Redis-backed adapter and Pub/Sub reload for multi-instance policy sync; HTTP middleware enforces (tenant, role, path, method) with platform admin bypass. - /api/v1/permissions routes: catalog, me, policy/reload, roles CRUD, role permissions, user roles, role mappings. - New error scope (31) for Permission and biz code descriptions. - Wire Permission module into ServiceContext, config, mongo-index, and add cmd/permission-seed CLI plus etc/rbac.conf model. - Redis client gains lazy PubSubClient helper (go-zero wrapper lacks Subscribe). - Rewrite internal/model/member/README to cover Tenant/Member/Identity. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-21 08:47:35 +00:00
package domain
import "strings"
// RedisKey is the permission module Redis key prefix. Use the package-level
// helpers (Get*RedisKey) instead of string concatenation so the layout stays
// auditable.
type RedisKey string
// Key prefixes for the permission module. Layout matches
docs: 統整模組 README ↔ SDD 分工,砍重複內容 讓「找規格」跟「日常速查」兩種需求各有歸宿,避免同樣資訊散落多處: - 改寫 docs/identity-member-design.md:從 Big5 亂碼的 2673 行設計草稿 → ~200 行 UTF-8 跨模組總覽(架構決策、模組依賴、UID、JWT、Casbin、 Pub/Sub、Notification 全部一頁看完),不再跟模組 README 重疊 - 新增 internal/model/auth/README.md:合併原 auth-unified-registration + auth/SDD 的高層概念,留 SDD 給規格細節 - 精簡 member / permission / notification README:保留 sequence diagram、 curl、ServiceContext wiring 等日常開發要的東西;逐欄位 schema / Redis key TTL / API endpoint list 等規格細節改指向各模組 SDD.md - 每個 README 頂部加「規格 vs 速查」一行指路,找欄位 → SDD,找流程 → README - root README 同步補上各模組 README + SDD 並列連結 - code comment 裡的 internal/model/{member,permission}/SDD.md §X.Y 引用 全部對齊新章節編號 Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-22 09:18:08 +00:00
// internal/model/permission/SDD.md §4.1 (Redis Keys).
feat(permission): add RBAC module with Casbin enforcement and policy reload - Multi-tenant RBAC: permission catalog, roles, role-permission mapping, user-role assignment, and external IdP role mapping (zitadel/ldap/scim). - Casbin enforcer with Redis-backed adapter and Pub/Sub reload for multi-instance policy sync; HTTP middleware enforces (tenant, role, path, method) with platform admin bypass. - /api/v1/permissions routes: catalog, me, policy/reload, roles CRUD, role permissions, user roles, role mappings. - New error scope (31) for Permission and biz code descriptions. - Wire Permission module into ServiceContext, config, mongo-index, and add cmd/permission-seed CLI plus etc/rbac.conf model. - Redis client gains lazy PubSubClient helper (go-zero wrapper lacks Subscribe). - Rewrite internal/model/member/README to cover Tenant/Member/Identity. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-21 08:47:35 +00:00
const (
CasbinRulesRedisKey RedisKey = "permission:casbin:rules"
UserRolesRedisKey RedisKey = "perm:user_roles"
RolePermsRedisKey RedisKey = "perm:role_perms"
PermissionTreeKey RedisKey = "permission:tree:open"
PolicyReloadLockKey RedisKey = "permission:policy:reload:lock"
StepUpUsedRedisKey RedisKey = "permission:stepup:used"
PermissionAuthGenKey RedisKey = "auth:gen"
)
// With appends colon-separated parts to the key.
func (key RedisKey) With(parts ...string) RedisKey {
if len(parts) == 0 {
return key
}
return RedisKey(string(key) + ":" + strings.Join(parts, ":"))
}
// String returns the raw key.
func (key RedisKey) String() string {
return string(key)
}
// GetCasbinRulesRedisKey returns the tenant-scoped Casbin policy list key.
func GetCasbinRulesRedisKey(tenantID string) string {
return CasbinRulesRedisKey.With(tenantID).String()
}
// GetUserRolesRedisKey returns the cache key for a user's role keys.
func GetUserRolesRedisKey(tenantID, uid string) string {
return UserRolesRedisKey.With(tenantID, uid).String()
}
// GetRolePermsRedisKey returns the cache key for a role's permission names.
func GetRolePermsRedisKey(tenantID, roleID string) string {
return RolePermsRedisKey.With(tenantID, roleID).String()
}
// GetAuthGenRedisKey returns the auth_gen revocation counter key. It mirrors
// the auth module's namespace because permission changes also bump auth_gen.
func GetAuthGenRedisKey(tenantID, uid string) string {
return PermissionAuthGenKey.With(tenantID, uid).String()
}