template-monorepo/internal/model/permission/usecase/permission_tree.go

package usecase

import (
	"sort"

	"gateway/internal/model/permission/domain/entity"
	"gateway/internal/model/permission/domain/enum"
	dom "gateway/internal/model/permission/domain/usecase"
)

// buildPermissionTree converts the flat permission list into a parent →
// children tree. Roots (parent == "") are returned in alphabetical order
// by Name for stable client rendering.
func buildPermissionTree(perms []*entity.Permission) []*dom.PermissionTreeNode {
	byParent := make(map[string][]*dom.PermissionTreeNode)
	indexByID := make(map[string]*dom.PermissionTreeNode, len(perms))
	for _, perm := range perms {
		node := permissionToNode(perm)
		indexByID[node.ID] = node
		byParent[perm.Parent] = append(byParent[perm.Parent], node)
	}
	for _, children := range byParent {
		sort.SliceStable(children, func(i, j int) bool {
			return children[i].Name < children[j].Name
		})
	}
	for parentID, children := range byParent {
		if parent, ok := indexByID[parentID]; ok {
			parent.Children = children
		}
	}
	return byParent[""]
}

// filterOpenNodes prunes status=close subtrees (and any parent that has
// no remaining children). Mirrors permission-server's filterOpenNodes.
func filterOpenNodes(nodes []*dom.PermissionTreeNode) []*dom.PermissionTreeNode {
	out := make([]*dom.PermissionTreeNode, 0, len(nodes))
	for _, node := range nodes {
		if node.Status != enum.StatusOpen {
			continue
		}
		if len(node.Children) > 0 {
			node.Children = filterOpenNodes(node.Children)
		}
		out = append(out, node)
	}
	return out
}

// filterByType drops subtrees whose type does not match. Useful for the
// "frontend menu only" client query.
func filterByType(nodes []*dom.PermissionTreeNode, t enum.PermissionType) []*dom.PermissionTreeNode {
	out := make([]*dom.PermissionTreeNode, 0, len(nodes))
	for _, node := range nodes {
		// Category nodes inherit the type of their children when they
		// have no leaf type of their own; filter recursively first.
		var kids []*dom.PermissionTreeNode
		if len(node.Children) > 0 {
			kids = filterByType(node.Children, t)
		}
		if node.Type == t || len(kids) > 0 {
			node.Children = kids
			out = append(out, node)
		}
	}
	return out
}

// getFullParentPermissionIDs walks up the parent chain for each id in
// requestedIDs and returns the deduplicated closure (requested + every
// ancestor). Mirrors permission-server's helper of the same name; used
// when persisting RolePermissions so a tenant prefix-clicking a leaf also
// gets the parent UI sections.
func getFullParentPermissionIDs(
	requestedIDs []string,
	allPermissions []*entity.Permission,
) []string {
	parentByID := make(map[string]string, len(allPermissions))
	for _, perm := range allPermissions {
		parentByID[perm.ID.Hex()] = perm.Parent
	}
	seen := make(map[string]struct{}, len(requestedIDs)*2)
	out := make([]string, 0, len(requestedIDs)*2)
	for _, id := range requestedIDs {
		walkParents(id, parentByID, seen, &out)
	}
	return out
}

func walkParents(
	id string,
	parentByID map[string]string,
	seen map[string]struct{},
	out *[]string,
) {
	for id != "" {
		if _, ok := seen[id]; ok {
			return
		}
		seen[id] = struct{}{}
		*out = append(*out, id)
		parent, ok := parentByID[id]
		if !ok || parent == "" {
			return
		}
		id = parent
	}
}

func permissionToNode(perm *entity.Permission) *dom.PermissionTreeNode {
	return &dom.PermissionTreeNode{
		ID:          perm.ID.Hex(),
		Parent:      perm.Parent,
		Name:        perm.Name,
		HTTPMethods: perm.HTTPMethods,
		HTTPPath:    perm.HTTPPath,
		Status:      perm.Status,
		Type:        perm.Type,
	}
}
feat(permission): add RBAC module with Casbin enforcement and policy reload - Multi-tenant RBAC: permission catalog, roles, role-permission mapping, user-role assignment, and external IdP role mapping (zitadel/ldap/scim). - Casbin enforcer with Redis-backed adapter and Pub/Sub reload for multi-instance policy sync; HTTP middleware enforces (tenant, role, path, method) with platform admin bypass. - /api/v1/permissions routes: catalog, me, policy/reload, roles CRUD, role permissions, user roles, role mappings. - New error scope (31) for Permission and biz code descriptions. - Wire Permission module into ServiceContext, config, mongo-index, and add cmd/permission-seed CLI plus etc/rbac.conf model. - Redis client gains lazy PubSubClient helper (go-zero wrapper lacks Subscribe). - Rewrite internal/model/member/README to cover Tenant/Member/Identity. Co-authored-by: Cursor <cursoragent@cursor.com> 2026-05-21 08:47:35 +00:00			`package usecase`

			`import (`
			`"sort"`

			`"gateway/internal/model/permission/domain/entity"`
			`"gateway/internal/model/permission/domain/enum"`
			`dom "gateway/internal/model/permission/domain/usecase"`
			`)`

			`// buildPermissionTree converts the flat permission list into a parent →`
			`// children tree. Roots (parent == "") are returned in alphabetical order`
			`// by Name for stable client rendering.`
			`func buildPermissionTree(perms []entity.Permission) []dom.PermissionTreeNode {`
			`byParent := make(map[string][]*dom.PermissionTreeNode)`
			`indexByID := make(map[string]*dom.PermissionTreeNode, len(perms))`
			`for _, perm := range perms {`
			`node := permissionToNode(perm)`
			`indexByID[node.ID] = node`
			`byParent[perm.Parent] = append(byParent[perm.Parent], node)`
			`}`
			`for _, children := range byParent {`
			`sort.SliceStable(children, func(i, j int) bool {`
			`return children[i].Name < children[j].Name`
			`})`
			`}`
			`for parentID, children := range byParent {`
			`if parent, ok := indexByID[parentID]; ok {`
			`parent.Children = children`
			`}`
			`}`
			`return byParent[""]`
			`}`

			`// filterOpenNodes prunes status=close subtrees (and any parent that has`
			`// no remaining children). Mirrors permission-server's filterOpenNodes.`
			`func filterOpenNodes(nodes []dom.PermissionTreeNode) []dom.PermissionTreeNode {`
			`out := make([]*dom.PermissionTreeNode, 0, len(nodes))`
			`for _, node := range nodes {`
			`if node.Status != enum.StatusOpen {`
			`continue`
			`}`
			`if len(node.Children) > 0 {`
			`node.Children = filterOpenNodes(node.Children)`
			`}`
			`out = append(out, node)`
			`}`
			`return out`
			`}`

			`// filterByType drops subtrees whose type does not match. Useful for the`
			`// "frontend menu only" client query.`
			`func filterByType(nodes []dom.PermissionTreeNode, t enum.PermissionType) []dom.PermissionTreeNode {`
			`out := make([]*dom.PermissionTreeNode, 0, len(nodes))`
			`for _, node := range nodes {`
			`// Category nodes inherit the type of their children when they`
			`// have no leaf type of their own; filter recursively first.`
			`var kids []*dom.PermissionTreeNode`
			`if len(node.Children) > 0 {`
			`kids = filterByType(node.Children, t)`
			`}`
			`if node.Type == t \|\| len(kids) > 0 {`
			`node.Children = kids`
			`out = append(out, node)`
			`}`
			`}`
			`return out`
			`}`

			`// getFullParentPermissionIDs walks up the parent chain for each id in`
			`// requestedIDs and returns the deduplicated closure (requested + every`
			`// ancestor). Mirrors permission-server's helper of the same name; used`
			`// when persisting RolePermissions so a tenant prefix-clicking a leaf also`
			`// gets the parent UI sections.`
			`func getFullParentPermissionIDs(`
			`requestedIDs []string,`
			`allPermissions []*entity.Permission,`
			`) []string {`
			`parentByID := make(map[string]string, len(allPermissions))`
			`for _, perm := range allPermissions {`
			`parentByID[perm.ID.Hex()] = perm.Parent`
			`}`
			`seen := make(map[string]struct{}, len(requestedIDs)*2)`
			`out := make([]string, 0, len(requestedIDs)*2)`
			`for _, id := range requestedIDs {`
			`walkParents(id, parentByID, seen, &out)`
			`}`
			`return out`
			`}`

			`func walkParents(`
			`id string,`
			`parentByID map[string]string,`
			`seen map[string]struct{},`
			`out *[]string,`
			`) {`
			`for id != "" {`
			`if _, ok := seen[id]; ok {`
			`return`
			`}`
			`seen[id] = struct{}{}`
			`out = append(out, id)`
			`parent, ok := parentByID[id]`
			`if !ok \|\| parent == "" {`
			`return`
			`}`
			`id = parent`
			`}`
			`}`

			`func permissionToNode(perm entity.Permission) dom.PermissionTreeNode {`
			`return &dom.PermissionTreeNode{`
			`ID: perm.ID.Hex(),`
			`Parent: perm.Parent,`
			`Name: perm.Name,`
			`HTTPMethods: perm.HTTPMethods,`
			`HTTPPath: perm.HTTPPath,`
			`Status: perm.Status,`
			`Type: perm.Type,`
			`}`
			`}`