template-monorepo/internal/model/permission/usecase/role_permission_usecase.go

package usecase

import (
	"context"

	"gateway/internal/model/permission/domain/entity"
	domrepo "gateway/internal/model/permission/domain/repository"
	dom "gateway/internal/model/permission/domain/usecase"
)

// PolicyReloader is the optional callback invoked after Replace mutates
// role_permissions. RBACUseCase.BroadcastReload satisfies it; passing nil
// disables the post-replace broadcast (useful in tests).
type PolicyReloader func(ctx context.Context, tenantID string) error

// RolePermissionUseCaseParam injects all repos needed to replace role
// permission sets and the reloader hook.
type RolePermissionUseCaseParam struct {
	Roles           domrepo.RoleRepository
	Permissions     domrepo.PermissionRepository
	RolePermissions domrepo.RolePermissionRepository
	Reloader        PolicyReloader
}

type rolePermissionUseCase struct {
	roles     domrepo.RoleRepository
	perms     domrepo.PermissionRepository
	rolePerms domrepo.RolePermissionRepository
	reload    PolicyReloader
}

// NewRolePermissionUseCase returns the role↔permission editor.
func NewRolePermissionUseCase(param RolePermissionUseCaseParam) dom.RolePermissionUseCase {
	return &rolePermissionUseCase{
		roles:     param.Roles,
		perms:     param.Permissions,
		rolePerms: param.RolePermissions,
		reload:    param.Reloader,
	}
}

func (uc *rolePermissionUseCase) List(
	ctx context.Context,
	tenantID, roleID string,
) ([]*entity.Permission, error) {
	if _, err := uc.roles.GetByID(ctx, tenantID, roleID); err != nil {
		return nil, wrapRepoErr(err)
	}
	rps, err := uc.rolePerms.ListByRole(ctx, tenantID, roleID)
	if err != nil {
		return nil, wrapRepoErr(err)
	}
	if len(rps) == 0 {
		return nil, nil
	}
	ids := make([]string, 0, len(rps))
	for _, rp := range rps {
		ids = append(ids, rp.PermissionID)
	}
	perms, err := uc.perms.GetByIDs(ctx, ids)
	if err != nil {
		return nil, wrapRepoErr(err)
	}
	return perms, nil
}

func (uc *rolePermissionUseCase) Replace(
	ctx context.Context,
	tenantID, roleID string,
	permissionIDs []string,
) error {
	role, err := uc.roles.GetByID(ctx, tenantID, roleID)
	if err != nil {
		return wrapRepoErr(err)
	}
	allPerms, err := uc.perms.GetAll(ctx, nil)
	if err != nil {
		return wrapRepoErr(err)
	}
	allowed := make(map[string]struct{}, len(allPerms))
	for _, perm := range allPerms {
		allowed[perm.ID.Hex()] = struct{}{}
	}
	for _, id := range permissionIDs {
		if _, ok := allowed[id]; !ok {
			return errb.ResNotFound("permission not in catalog: " + id)
		}
	}
	closure := getFullParentPermissionIDs(permissionIDs, allPerms)
	if err := uc.rolePerms.SetForRole(ctx, tenantID, roleID, closure); err != nil {
		return wrapRepoErr(err, "set role permissions")
	}
	if uc.reload != nil {
		if err := uc.reload(ctx, role.TenantID); err != nil {
			return wrapRepoErr(err, "reload policy")
		}
	}
	return nil
}

var _ dom.RolePermissionUseCase = (*rolePermissionUseCase)(nil)
feat(permission): add RBAC module with Casbin enforcement and policy reload - Multi-tenant RBAC: permission catalog, roles, role-permission mapping, user-role assignment, and external IdP role mapping (zitadel/ldap/scim). - Casbin enforcer with Redis-backed adapter and Pub/Sub reload for multi-instance policy sync; HTTP middleware enforces (tenant, role, path, method) with platform admin bypass. - /api/v1/permissions routes: catalog, me, policy/reload, roles CRUD, role permissions, user roles, role mappings. - New error scope (31) for Permission and biz code descriptions. - Wire Permission module into ServiceContext, config, mongo-index, and add cmd/permission-seed CLI plus etc/rbac.conf model. - Redis client gains lazy PubSubClient helper (go-zero wrapper lacks Subscribe). - Rewrite internal/model/member/README to cover Tenant/Member/Identity. Co-authored-by: Cursor <cursoragent@cursor.com> 2026-05-21 08:47:35 +00:00			`package usecase`

			`import (`
			`"context"`

			`"gateway/internal/model/permission/domain/entity"`
			`domrepo "gateway/internal/model/permission/domain/repository"`
			`dom "gateway/internal/model/permission/domain/usecase"`
			`)`

			`// PolicyReloader is the optional callback invoked after Replace mutates`
			`// role_permissions. RBACUseCase.BroadcastReload satisfies it; passing nil`
			`// disables the post-replace broadcast (useful in tests).`
			`type PolicyReloader func(ctx context.Context, tenantID string) error`

			`// RolePermissionUseCaseParam injects all repos needed to replace role`
			`// permission sets and the reloader hook.`
			`type RolePermissionUseCaseParam struct {`
			`Roles domrepo.RoleRepository`
			`Permissions domrepo.PermissionRepository`
			`RolePermissions domrepo.RolePermissionRepository`
			`Reloader PolicyReloader`
			`}`

			`type rolePermissionUseCase struct {`
			`roles domrepo.RoleRepository`
			`perms domrepo.PermissionRepository`
			`rolePerms domrepo.RolePermissionRepository`
			`reload PolicyReloader`
			`}`

			`// NewRolePermissionUseCase returns the role↔permission editor.`
			`func NewRolePermissionUseCase(param RolePermissionUseCaseParam) dom.RolePermissionUseCase {`
			`return &rolePermissionUseCase{`
			`roles: param.Roles,`
			`perms: param.Permissions,`
			`rolePerms: param.RolePermissions,`
			`reload: param.Reloader,`
			`}`
			`}`

			`func (uc *rolePermissionUseCase) List(`
			`ctx context.Context,`
			`tenantID, roleID string,`
			`) ([]*entity.Permission, error) {`
			`if _, err := uc.roles.GetByID(ctx, tenantID, roleID); err != nil {`
			`return nil, wrapRepoErr(err)`
			`}`
			`rps, err := uc.rolePerms.ListByRole(ctx, tenantID, roleID)`
			`if err != nil {`
			`return nil, wrapRepoErr(err)`
			`}`
			`if len(rps) == 0 {`
			`return nil, nil`
			`}`
			`ids := make([]string, 0, len(rps))`
			`for _, rp := range rps {`
			`ids = append(ids, rp.PermissionID)`
			`}`
			`perms, err := uc.perms.GetByIDs(ctx, ids)`
			`if err != nil {`
			`return nil, wrapRepoErr(err)`
			`}`
			`return perms, nil`
			`}`

			`func (uc *rolePermissionUseCase) Replace(`
			`ctx context.Context,`
			`tenantID, roleID string,`
			`permissionIDs []string,`
			`) error {`
			`role, err := uc.roles.GetByID(ctx, tenantID, roleID)`
			`if err != nil {`
			`return wrapRepoErr(err)`
			`}`
			`allPerms, err := uc.perms.GetAll(ctx, nil)`
			`if err != nil {`
			`return wrapRepoErr(err)`
			`}`
			`allowed := make(map[string]struct{}, len(allPerms))`
			`for _, perm := range allPerms {`
			`allowed[perm.ID.Hex()] = struct{}{}`
			`}`
			`for _, id := range permissionIDs {`
			`if _, ok := allowed[id]; !ok {`
			`return errb.ResNotFound("permission not in catalog: " + id)`
			`}`
			`}`
			`closure := getFullParentPermissionIDs(permissionIDs, allPerms)`
			`if err := uc.rolePerms.SetForRole(ctx, tenantID, roleID, closure); err != nil {`
			`return wrapRepoErr(err, "set role permissions")`
			`}`
			`if uc.reload != nil {`
			`if err := uc.reload(ctx, role.TenantID); err != nil {`
			`return wrapRepoErr(err, "reload policy")`
			`}`
			`}`
			`return nil`
			`}`

			`var _ dom.RolePermissionUseCase = (*rolePermissionUseCase)(nil)`