36 lines
1.2 KiB
Go
36 lines
1.2 KiB
Go
package usecase
|
|
|
|
import "context"
|
|
|
|
// CheckRequest is the standard input to the RBAC enforcer; mirrors the
|
|
// Casbin policy header (sub, obj, act). TenantID is split out so the
|
|
// loader can pick the right enforcer instance.
|
|
type CheckRequest struct {
|
|
TenantID string
|
|
UID string // Casbin "sub" — typically `{tenant}:{uid}`
|
|
Path string // HTTP path; e.g. /api/v1/members/AMEX-100001
|
|
Method string // GET / POST / PATCH / DELETE / *
|
|
}
|
|
|
|
// CheckResult bundles the boolean answer with the matched permission so
|
|
// audit logging can attribute the decision.
|
|
type CheckResult struct {
|
|
Allow bool
|
|
MatchedRoleKey string
|
|
MatchedPolicyRow []string
|
|
}
|
|
|
|
// RBACUseCase wraps the per-tenant Casbin enforcer.
|
|
//
|
|
// LoadPolicy is the heavy operation (read all role_permission rows for a
|
|
// tenant, materialise into [][]string and feed casbin); BroadcastReload
|
|
// publishes via Redis Pub/Sub so other pods reload too.
|
|
type RBACUseCase interface {
|
|
Check(ctx context.Context, req *CheckRequest) (*CheckResult, error)
|
|
LoadPolicy(ctx context.Context, tenantID string) error
|
|
LoadAllPolicies(ctx context.Context) error
|
|
BroadcastReload(ctx context.Context, tenantID string) error
|
|
StartReloadSubscriber(ctx context.Context) error
|
|
StopReloadSubscriber()
|
|
}
|