template-monorepo/internal/model/permission/repository/role_mapping_mongo.go

package repository

import (
	"context"
	"errors"
	"time"

	libmongo "gateway/internal/library/mongo"
	permission "gateway/internal/model/permission/domain"
	"gateway/internal/model/permission/domain/entity"
	"gateway/internal/model/permission/domain/enum"
	domrepo "gateway/internal/model/permission/domain/repository"

	"go.mongodb.org/mongo-driver/v2/bson"
	mongodriver "go.mongodb.org/mongo-driver/v2/mongo"
	"go.mongodb.org/mongo-driver/v2/mongo/options"
)

// RoleMappingRepositoryParam configures the Mongo role mapping repository.
type RoleMappingRepositoryParam struct {
	Conf *libmongo.Conf
}

type roleMappingRepository struct {
	db libmongo.DocumentDBUseCase
}

// NewRoleMappingRepository creates a Mongo-backed RoleMappingRepository.
func NewRoleMappingRepository(param RoleMappingRepositoryParam) domrepo.RoleMappingRepository {
	documentDB, err := libmongo.NewDocumentDB(param.Conf, entity.RoleMapping{}.CollectionName())
	if err != nil {
		panic(err)
	}
	return &roleMappingRepository{db: documentDB}
}

func (r *roleMappingRepository) Insert(ctx context.Context, rm *entity.RoleMapping) error {
	now := time.Now().UTC().UnixMilli()
	if rm.ID.IsZero() {
		rm.ID = bson.NewObjectID()
	}
	if rm.CreateAt == 0 {
		rm.CreateAt = now
	}
	if rm.UpdateAt == 0 {
		rm.UpdateAt = now
	}
	_, err := r.db.GetClient().InsertOne(ctx, rm)
	if err != nil {
		if mongodriver.IsDuplicateKeyError(err) {
			return permission.ErrRoleMappingDuplicate
		}
		return err
	}
	return nil
}

func (r *roleMappingRepository) Upsert(ctx context.Context, rm *entity.RoleMapping) error {
	now := time.Now().UTC().UnixMilli()
	if rm.UpdateAt == 0 {
		rm.UpdateAt = now
	}
	filter := bson.M{
		permission.BSONFieldTenantID:       rm.TenantID,
		permission.BSONFieldExternalSource: rm.ExternalSource,
		permission.BSONFieldExternalKey:    rm.ExternalKey,
	}
	set := bson.M{
		permission.BSONFieldInternalRoleID:  rm.InternalRoleID,
		permission.BSONFieldInternalRoleKey: rm.InternalRoleKey,
		permission.BSONFieldUpdateAt:        rm.UpdateAt,
	}
	insert := bson.M{
		permission.BSONFieldTenantID:       rm.TenantID,
		permission.BSONFieldExternalSource: rm.ExternalSource,
		permission.BSONFieldExternalKey:    rm.ExternalKey,
		permission.BSONFieldCreateAt:       now,
	}
	_, err := r.db.GetClient().UpdateOne(ctx, filter,
		bson.M{bsonOpSet: set, bsonOpSetOnInsert: insert},
		options.UpdateOne().SetUpsert(true))
	return err
}

func (r *roleMappingRepository) Delete(
	ctx context.Context,
	tenantID string,
	source enum.RoleSource,
	externalKey string,
) error {
	filter := bson.M{
		permission.BSONFieldTenantID:       tenantID,
		permission.BSONFieldExternalSource: source,
		permission.BSONFieldExternalKey:    externalKey,
	}
	res, err := r.db.GetClient().DeleteOne(ctx, filter)
	if err != nil {
		return err
	}
	if res == 0 {
		return permission.ErrRoleMappingNotFound
	}
	return nil
}

func (r *roleMappingRepository) DeleteByRole(ctx context.Context, tenantID, roleID string) (int64, error) {
	filter := bson.M{
		permission.BSONFieldTenantID:       tenantID,
		permission.BSONFieldInternalRoleID: roleID,
	}
	return r.db.GetClient().DeleteMany(ctx, filter)
}

func (r *roleMappingRepository) GetByExternal(
	ctx context.Context,
	tenantID string,
	source enum.RoleSource,
	externalKey string,
) (*entity.RoleMapping, error) {
	filter := bson.M{
		permission.BSONFieldTenantID:       tenantID,
		permission.BSONFieldExternalSource: source,
		permission.BSONFieldExternalKey:    externalKey,
	}
	var doc entity.RoleMapping
	if err := r.db.GetClient().FindOne(ctx, &doc, filter); err != nil {
		if errors.Is(err, mongodriver.ErrNoDocuments) {
			return nil, permission.ErrRoleMappingNotFound
		}
		return nil, err
	}
	return &doc, nil
}

func (r *roleMappingRepository) ListByTenant(
	ctx context.Context,
	tenantID string,
	source *enum.RoleSource,
	offset, limit int64,
) ([]*entity.RoleMapping, int64, error) {
	q := bson.M{permission.BSONFieldTenantID: tenantID}
	if source != nil {
		q[permission.BSONFieldExternalSource] = *source
	}
	total, err := r.db.GetClient().CountDocuments(ctx, q)
	if err != nil {
		return nil, 0, err
	}
	if limit <= 0 {
		limit = 50
	}
	if limit > 200 {
		limit = 200
	}
	opts := options.Find().
		SetSkip(offset).
		SetLimit(limit).
		SetSort(bson.D{{Key: permission.BSONFieldCreateAt, Value: -1}})
	var docs []*entity.RoleMapping
	if err := r.db.GetClient().Find(ctx, &docs, q, opts); err != nil {
		return nil, 0, err
	}
	return docs, total, nil
}

// Index20260521001UP ensures role_mappings collection indexes exist.
func (r *roleMappingRepository) Index20260521001UP(ctx context.Context) error {
	if err := r.db.PopulateMultiIndex(ctx,
		[]string{
			permission.BSONFieldTenantID,
			permission.BSONFieldExternalSource,
			permission.BSONFieldExternalKey,
		},
		[]int32{1, 1, 1}, true); err != nil {
		return err
	}
	return r.db.PopulateMultiIndex(ctx,
		[]string{permission.BSONFieldTenantID, permission.BSONFieldInternalRoleID},
		[]int32{1, 1}, false)
}

var _ domrepo.RoleMappingRepository = (*roleMappingRepository)(nil)
feat(permission): add RBAC module with Casbin enforcement and policy reload - Multi-tenant RBAC: permission catalog, roles, role-permission mapping, user-role assignment, and external IdP role mapping (zitadel/ldap/scim). - Casbin enforcer with Redis-backed adapter and Pub/Sub reload for multi-instance policy sync; HTTP middleware enforces (tenant, role, path, method) with platform admin bypass. - /api/v1/permissions routes: catalog, me, policy/reload, roles CRUD, role permissions, user roles, role mappings. - New error scope (31) for Permission and biz code descriptions. - Wire Permission module into ServiceContext, config, mongo-index, and add cmd/permission-seed CLI plus etc/rbac.conf model. - Redis client gains lazy PubSubClient helper (go-zero wrapper lacks Subscribe). - Rewrite internal/model/member/README to cover Tenant/Member/Identity. Co-authored-by: Cursor <cursoragent@cursor.com> 2026-05-21 08:47:35 +00:00			`package repository`

			`import (`
			`"context"`
			`"errors"`
			`"time"`

			`libmongo "gateway/internal/library/mongo"`
			`permission "gateway/internal/model/permission/domain"`
			`"gateway/internal/model/permission/domain/entity"`
			`"gateway/internal/model/permission/domain/enum"`
			`domrepo "gateway/internal/model/permission/domain/repository"`

			`"go.mongodb.org/mongo-driver/v2/bson"`
			`mongodriver "go.mongodb.org/mongo-driver/v2/mongo"`
			`"go.mongodb.org/mongo-driver/v2/mongo/options"`
			`)`

			`// RoleMappingRepositoryParam configures the Mongo role mapping repository.`
			`type RoleMappingRepositoryParam struct {`
			`Conf *libmongo.Conf`
			`}`

			`type roleMappingRepository struct {`
			`db libmongo.DocumentDBUseCase`
			`}`

			`// NewRoleMappingRepository creates a Mongo-backed RoleMappingRepository.`
			`func NewRoleMappingRepository(param RoleMappingRepositoryParam) domrepo.RoleMappingRepository {`
			`documentDB, err := libmongo.NewDocumentDB(param.Conf, entity.RoleMapping{}.CollectionName())`
			`if err != nil {`
			`panic(err)`
			`}`
			`return &roleMappingRepository{db: documentDB}`
			`}`

			`func (r roleMappingRepository) Insert(ctx context.Context, rm entity.RoleMapping) error {`
			`now := time.Now().UTC().UnixMilli()`
			`if rm.ID.IsZero() {`
			`rm.ID = bson.NewObjectID()`
			`}`
			`if rm.CreateAt == 0 {`
			`rm.CreateAt = now`
			`}`
			`if rm.UpdateAt == 0 {`
			`rm.UpdateAt = now`
			`}`
			`_, err := r.db.GetClient().InsertOne(ctx, rm)`
			`if err != nil {`
			`if mongodriver.IsDuplicateKeyError(err) {`
			`return permission.ErrRoleMappingDuplicate`
			`}`
			`return err`
			`}`
			`return nil`
			`}`

			`func (r roleMappingRepository) Upsert(ctx context.Context, rm entity.RoleMapping) error {`
			`now := time.Now().UTC().UnixMilli()`
			`if rm.UpdateAt == 0 {`
			`rm.UpdateAt = now`
			`}`
			`filter := bson.M{`
			`permission.BSONFieldTenantID: rm.TenantID,`
			`permission.BSONFieldExternalSource: rm.ExternalSource,`
			`permission.BSONFieldExternalKey: rm.ExternalKey,`
			`}`
			`set := bson.M{`
			`permission.BSONFieldInternalRoleID: rm.InternalRoleID,`
			`permission.BSONFieldInternalRoleKey: rm.InternalRoleKey,`
			`permission.BSONFieldUpdateAt: rm.UpdateAt,`
			`}`
			`insert := bson.M{`
			`permission.BSONFieldTenantID: rm.TenantID,`
			`permission.BSONFieldExternalSource: rm.ExternalSource,`
			`permission.BSONFieldExternalKey: rm.ExternalKey,`
			`permission.BSONFieldCreateAt: now,`
			`}`
			`_, err := r.db.GetClient().UpdateOne(ctx, filter,`
			`bson.M{bsonOpSet: set, bsonOpSetOnInsert: insert},`
			`options.UpdateOne().SetUpsert(true))`
			`return err`
			`}`

			`func (r *roleMappingRepository) Delete(`
			`ctx context.Context,`
			`tenantID string,`
			`source enum.RoleSource,`
			`externalKey string,`
			`) error {`
			`filter := bson.M{`
			`permission.BSONFieldTenantID: tenantID,`
			`permission.BSONFieldExternalSource: source,`
			`permission.BSONFieldExternalKey: externalKey,`
			`}`
			`res, err := r.db.GetClient().DeleteOne(ctx, filter)`
			`if err != nil {`
			`return err`
			`}`
			`if res == 0 {`
			`return permission.ErrRoleMappingNotFound`
			`}`
			`return nil`
			`}`

			`func (r *roleMappingRepository) DeleteByRole(ctx context.Context, tenantID, roleID string) (int64, error) {`
			`filter := bson.M{`
			`permission.BSONFieldTenantID: tenantID,`
			`permission.BSONFieldInternalRoleID: roleID,`
			`}`
			`return r.db.GetClient().DeleteMany(ctx, filter)`
			`}`

			`func (r *roleMappingRepository) GetByExternal(`
			`ctx context.Context,`
			`tenantID string,`
			`source enum.RoleSource,`
			`externalKey string,`
			`) (*entity.RoleMapping, error) {`
			`filter := bson.M{`
			`permission.BSONFieldTenantID: tenantID,`
			`permission.BSONFieldExternalSource: source,`
			`permission.BSONFieldExternalKey: externalKey,`
			`}`
			`var doc entity.RoleMapping`
			`if err := r.db.GetClient().FindOne(ctx, &doc, filter); err != nil {`
			`if errors.Is(err, mongodriver.ErrNoDocuments) {`
			`return nil, permission.ErrRoleMappingNotFound`
			`}`
			`return nil, err`
			`}`
			`return &doc, nil`
			`}`

			`func (r *roleMappingRepository) ListByTenant(`
			`ctx context.Context,`
			`tenantID string,`
			`source *enum.RoleSource,`
			`offset, limit int64,`
			`) ([]*entity.RoleMapping, int64, error) {`
			`q := bson.M{permission.BSONFieldTenantID: tenantID}`
			`if source != nil {`
			`q[permission.BSONFieldExternalSource] = *source`
			`}`
			`total, err := r.db.GetClient().CountDocuments(ctx, q)`
			`if err != nil {`
			`return nil, 0, err`
			`}`
			`if limit <= 0 {`
			`limit = 50`
			`}`
			`if limit > 200 {`
			`limit = 200`
			`}`
			`opts := options.Find().`
			`SetSkip(offset).`
			`SetLimit(limit).`
			`SetSort(bson.D{{Key: permission.BSONFieldCreateAt, Value: -1}})`
			`var docs []*entity.RoleMapping`
			`if err := r.db.GetClient().Find(ctx, &docs, q, opts); err != nil {`
			`return nil, 0, err`
			`}`
			`return docs, total, nil`
			`}`

			`// Index20260521001UP ensures role_mappings collection indexes exist.`
			`func (r *roleMappingRepository) Index20260521001UP(ctx context.Context) error {`
			`if err := r.db.PopulateMultiIndex(ctx,`
			`[]string{`
			`permission.BSONFieldTenantID,`
			`permission.BSONFieldExternalSource,`
			`permission.BSONFieldExternalKey,`
			`},`
			`[]int32{1, 1, 1}, true); err != nil {`
			`return err`
			`}`
			`return r.db.PopulateMultiIndex(ctx,`
			`[]string{permission.BSONFieldTenantID, permission.BSONFieldInternalRoleID},`
			`[]int32{1, 1}, false)`
			`}`

			`var _ domrepo.RoleMappingRepository = (*roleMappingRepository)(nil)`