template-monorepo/internal/model/permission/repository/role_permission_mongo.go

package repository

import (
	"context"
	"time"

	libmongo "gateway/internal/library/mongo"
	permission "gateway/internal/model/permission/domain"
	"gateway/internal/model/permission/domain/entity"
	domrepo "gateway/internal/model/permission/domain/repository"

	"go.mongodb.org/mongo-driver/v2/bson"
	mongodriver "go.mongodb.org/mongo-driver/v2/mongo"
)

// RolePermissionRepositoryParam configures the Mongo role-permission repository.
type RolePermissionRepositoryParam struct {
	Conf *libmongo.Conf
}

type rolePermissionRepository struct {
	db libmongo.DocumentDBUseCase
}

// NewRolePermissionRepository creates a Mongo-backed RolePermissionRepository.
func NewRolePermissionRepository(param RolePermissionRepositoryParam) domrepo.RolePermissionRepository {
	documentDB, err := libmongo.NewDocumentDB(param.Conf, entity.RolePermission{}.CollectionName())
	if err != nil {
		panic(err)
	}
	return &rolePermissionRepository{db: documentDB}
}

func (r *rolePermissionRepository) Insert(ctx context.Context, rp *entity.RolePermission) error {
	now := time.Now().UTC().UnixMilli()
	if rp.ID.IsZero() {
		rp.ID = bson.NewObjectID()
	}
	if rp.CreateAt == 0 {
		rp.CreateAt = now
	}
	if rp.UpdateAt == 0 {
		rp.UpdateAt = now
	}
	_, err := r.db.GetClient().InsertOne(ctx, rp)
	if err != nil && mongodriver.IsDuplicateKeyError(err) {
		return nil
	}
	return err
}

func (r *rolePermissionRepository) BulkInsert(ctx context.Context, rps []*entity.RolePermission) error {
	if len(rps) == 0 {
		return nil
	}
	now := time.Now().UTC().UnixMilli()
	docs := make([]any, 0, len(rps))
	for _, rp := range rps {
		if rp.ID.IsZero() {
			rp.ID = bson.NewObjectID()
		}
		if rp.CreateAt == 0 {
			rp.CreateAt = now
		}
		if rp.UpdateAt == 0 {
			rp.UpdateAt = now
		}
		docs = append(docs, rp)
	}
	_, err := r.db.GetClient().InsertMany(ctx, docs)
	if err != nil && !mongodriver.IsDuplicateKeyError(err) {
		return err
	}
	return nil
}

func (r *rolePermissionRepository) DeleteByRole(ctx context.Context, tenantID, roleID string) error {
	filter := bson.M{
		permission.BSONFieldTenantID: tenantID,
		permission.BSONFieldRoleID:   roleID,
	}
	_, err := r.db.GetClient().DeleteMany(ctx, filter)
	return err
}

func (r *rolePermissionRepository) DeleteByPermission(ctx context.Context, permissionID string) (int64, error) {
	filter := bson.M{permission.BSONFieldPermissionID: permissionID}
	res, err := r.db.GetClient().DeleteMany(ctx, filter)
	return res, err
}

func (r *rolePermissionRepository) SetForRole(
	ctx context.Context,
	tenantID, roleID string,
	permissionIDs []string,
) error {
	if err := r.DeleteByRole(ctx, tenantID, roleID); err != nil {
		return err
	}
	if len(permissionIDs) == 0 {
		return nil
	}
	now := time.Now().UTC().UnixMilli()
	rows := make([]*entity.RolePermission, 0, len(permissionIDs))
	for _, pid := range permissionIDs {
		rows = append(rows, &entity.RolePermission{
			ID:           bson.NewObjectID(),
			TenantID:     tenantID,
			RoleID:       roleID,
			PermissionID: pid,
			CreateAt:     now,
			UpdateAt:     now,
		})
	}
	return r.BulkInsert(ctx, rows)
}

func (r *rolePermissionRepository) ListByRole(
	ctx context.Context,
	tenantID, roleID string,
) ([]*entity.RolePermission, error) {
	q := bson.M{
		permission.BSONFieldTenantID: tenantID,
		permission.BSONFieldRoleID:   roleID,
	}
	var docs []*entity.RolePermission
	if err := r.db.GetClient().Find(ctx, &docs, q); err != nil {
		return nil, err
	}
	return docs, nil
}

func (r *rolePermissionRepository) ListByRoles(
	ctx context.Context,
	tenantID string,
	roleIDs []string,
) ([]*entity.RolePermission, error) {
	if len(roleIDs) == 0 {
		return nil, nil
	}
	q := bson.M{
		permission.BSONFieldTenantID: tenantID,
		permission.BSONFieldRoleID:   bson.M{bsonOpIn: roleIDs},
	}
	var docs []*entity.RolePermission
	if err := r.db.GetClient().Find(ctx, &docs, q); err != nil {
		return nil, err
	}
	return docs, nil
}

func (r *rolePermissionRepository) ListByTenant(
	ctx context.Context,
	tenantID string,
) ([]*entity.RolePermission, error) {
	q := bson.M{permission.BSONFieldTenantID: tenantID}
	var docs []*entity.RolePermission
	if err := r.db.GetClient().Find(ctx, &docs, q); err != nil {
		return nil, err
	}
	return docs, nil
}

// Index20260521001UP ensures role_permissions collection indexes exist.
func (r *rolePermissionRepository) Index20260521001UP(ctx context.Context) error {
	if err := r.db.PopulateMultiIndex(ctx,
		[]string{permission.BSONFieldTenantID, permission.BSONFieldRoleID, permission.BSONFieldPermissionID},
		[]int32{1, 1, 1}, true); err != nil {
		return err
	}
	return r.db.PopulateMultiIndex(ctx,
		[]string{permission.BSONFieldTenantID, permission.BSONFieldPermissionID},
		[]int32{1, 1}, false)
}

var _ domrepo.RolePermissionRepository = (*rolePermissionRepository)(nil)
feat(permission): add RBAC module with Casbin enforcement and policy reload - Multi-tenant RBAC: permission catalog, roles, role-permission mapping, user-role assignment, and external IdP role mapping (zitadel/ldap/scim). - Casbin enforcer with Redis-backed adapter and Pub/Sub reload for multi-instance policy sync; HTTP middleware enforces (tenant, role, path, method) with platform admin bypass. - /api/v1/permissions routes: catalog, me, policy/reload, roles CRUD, role permissions, user roles, role mappings. - New error scope (31) for Permission and biz code descriptions. - Wire Permission module into ServiceContext, config, mongo-index, and add cmd/permission-seed CLI plus etc/rbac.conf model. - Redis client gains lazy PubSubClient helper (go-zero wrapper lacks Subscribe). - Rewrite internal/model/member/README to cover Tenant/Member/Identity. Co-authored-by: Cursor <cursoragent@cursor.com> 2026-05-21 08:47:35 +00:00			`package repository`

			`import (`
			`"context"`
			`"time"`

			`libmongo "gateway/internal/library/mongo"`
			`permission "gateway/internal/model/permission/domain"`
			`"gateway/internal/model/permission/domain/entity"`
			`domrepo "gateway/internal/model/permission/domain/repository"`

			`"go.mongodb.org/mongo-driver/v2/bson"`
			`mongodriver "go.mongodb.org/mongo-driver/v2/mongo"`
			`)`

			`// RolePermissionRepositoryParam configures the Mongo role-permission repository.`
			`type RolePermissionRepositoryParam struct {`
			`Conf *libmongo.Conf`
			`}`

			`type rolePermissionRepository struct {`
			`db libmongo.DocumentDBUseCase`
			`}`

			`// NewRolePermissionRepository creates a Mongo-backed RolePermissionRepository.`
			`func NewRolePermissionRepository(param RolePermissionRepositoryParam) domrepo.RolePermissionRepository {`
			`documentDB, err := libmongo.NewDocumentDB(param.Conf, entity.RolePermission{}.CollectionName())`
			`if err != nil {`
			`panic(err)`
			`}`
			`return &rolePermissionRepository{db: documentDB}`
			`}`

			`func (r rolePermissionRepository) Insert(ctx context.Context, rp entity.RolePermission) error {`
			`now := time.Now().UTC().UnixMilli()`
			`if rp.ID.IsZero() {`
			`rp.ID = bson.NewObjectID()`
			`}`
			`if rp.CreateAt == 0 {`
			`rp.CreateAt = now`
			`}`
			`if rp.UpdateAt == 0 {`
			`rp.UpdateAt = now`
			`}`
			`_, err := r.db.GetClient().InsertOne(ctx, rp)`
			`if err != nil && mongodriver.IsDuplicateKeyError(err) {`
			`return nil`
			`}`
			`return err`
			`}`

			`func (r rolePermissionRepository) BulkInsert(ctx context.Context, rps []entity.RolePermission) error {`
			`if len(rps) == 0 {`
			`return nil`
			`}`
			`now := time.Now().UTC().UnixMilli()`
			`docs := make([]any, 0, len(rps))`
			`for _, rp := range rps {`
			`if rp.ID.IsZero() {`
			`rp.ID = bson.NewObjectID()`
			`}`
			`if rp.CreateAt == 0 {`
			`rp.CreateAt = now`
			`}`
			`if rp.UpdateAt == 0 {`
			`rp.UpdateAt = now`
			`}`
			`docs = append(docs, rp)`
			`}`
			`_, err := r.db.GetClient().InsertMany(ctx, docs)`
			`if err != nil && !mongodriver.IsDuplicateKeyError(err) {`
			`return err`
			`}`
			`return nil`
			`}`

			`func (r *rolePermissionRepository) DeleteByRole(ctx context.Context, tenantID, roleID string) error {`
			`filter := bson.M{`
			`permission.BSONFieldTenantID: tenantID,`
			`permission.BSONFieldRoleID: roleID,`
			`}`
			`_, err := r.db.GetClient().DeleteMany(ctx, filter)`
			`return err`
			`}`

			`func (r *rolePermissionRepository) DeleteByPermission(ctx context.Context, permissionID string) (int64, error) {`
			`filter := bson.M{permission.BSONFieldPermissionID: permissionID}`
			`res, err := r.db.GetClient().DeleteMany(ctx, filter)`
			`return res, err`
			`}`

			`func (r *rolePermissionRepository) SetForRole(`
			`ctx context.Context,`
			`tenantID, roleID string,`
			`permissionIDs []string,`
			`) error {`
			`if err := r.DeleteByRole(ctx, tenantID, roleID); err != nil {`
			`return err`
			`}`
			`if len(permissionIDs) == 0 {`
			`return nil`
			`}`
			`now := time.Now().UTC().UnixMilli()`
			`rows := make([]*entity.RolePermission, 0, len(permissionIDs))`
			`for _, pid := range permissionIDs {`
			`rows = append(rows, &entity.RolePermission{`
			`ID: bson.NewObjectID(),`
			`TenantID: tenantID,`
			`RoleID: roleID,`
			`PermissionID: pid,`
			`CreateAt: now,`
			`UpdateAt: now,`
			`})`
			`}`
			`return r.BulkInsert(ctx, rows)`
			`}`

			`func (r *rolePermissionRepository) ListByRole(`
			`ctx context.Context,`
			`tenantID, roleID string,`
			`) ([]*entity.RolePermission, error) {`
			`q := bson.M{`
			`permission.BSONFieldTenantID: tenantID,`
			`permission.BSONFieldRoleID: roleID,`
			`}`
			`var docs []*entity.RolePermission`
			`if err := r.db.GetClient().Find(ctx, &docs, q); err != nil {`
			`return nil, err`
			`}`
			`return docs, nil`
			`}`

			`func (r *rolePermissionRepository) ListByRoles(`
			`ctx context.Context,`
			`tenantID string,`
			`roleIDs []string,`
			`) ([]*entity.RolePermission, error) {`
			`if len(roleIDs) == 0 {`
			`return nil, nil`
			`}`
			`q := bson.M{`
			`permission.BSONFieldTenantID: tenantID,`
			`permission.BSONFieldRoleID: bson.M{bsonOpIn: roleIDs},`
			`}`
			`var docs []*entity.RolePermission`
			`if err := r.db.GetClient().Find(ctx, &docs, q); err != nil {`
			`return nil, err`
			`}`
			`return docs, nil`
			`}`

			`func (r *rolePermissionRepository) ListByTenant(`
			`ctx context.Context,`
			`tenantID string,`
			`) ([]*entity.RolePermission, error) {`
			`q := bson.M{permission.BSONFieldTenantID: tenantID}`
			`var docs []*entity.RolePermission`
			`if err := r.db.GetClient().Find(ctx, &docs, q); err != nil {`
			`return nil, err`
			`}`
			`return docs, nil`
			`}`

			`// Index20260521001UP ensures role_permissions collection indexes exist.`
			`func (r *rolePermissionRepository) Index20260521001UP(ctx context.Context) error {`
			`if err := r.db.PopulateMultiIndex(ctx,`
			`[]string{permission.BSONFieldTenantID, permission.BSONFieldRoleID, permission.BSONFieldPermissionID},`
			`[]int32{1, 1, 1}, true); err != nil {`
			`return err`
			`}`
			`return r.db.PopulateMultiIndex(ctx,`
			`[]string{permission.BSONFieldTenantID, permission.BSONFieldPermissionID},`
			`[]int32{1, 1}, false)`
			`}`

			`var _ domrepo.RolePermissionRepository = (*rolePermissionRepository)(nil)`