rolestore

func ConvertDBPermissions ¶ added in v2.30.0

func ConvertDBPermissions(dbPerms []database.CustomRolePermission) []rbac.Permission

ConvertDBPermissions converts database permissions to RBAC permissions.

func ConvertDBRole ¶

func ConvertDBRole(dbRole database.CustomRole) (rbac.Role, error)

ConvertDBRole should not be used by any human facing apis. It is used for authz purposes.

func ConvertPermissionsToDB ¶ added in v2.30.0

func ConvertPermissionsToDB(perms []rbac.Permission) []database.CustomRolePermission

ConvertPermissionsToDB converts RBAC permissions to the database format.

func CreateSystemRole ¶ added in v2.32.0

func CreateSystemRole(
	ctx context.Context,
	tx database.Store,
	org database.Organization,
	roleName string,
) error

CreateSystemRole inserts a new system role into the database with permissions produced by permsFunc based on the organization's current settings.

func CustomRoleCacheContext ¶

func CustomRoleCacheContext(ctx context.Context) context.Context

CustomRoleCacheContext prevents needing to lookup custom roles within the same request lifecycle. Optimizing this to span requests should be done in the future.

func CustomRoleMW ¶

func CustomRoleMW(next http.Handler) http.Handler

CustomRoleMW adds a custom role cache on the ctx to prevent duplicate db fetches.

func Expand ¶

func Expand(ctx context.Context, db database.Store, names []rbac.RoleIdentifier) (rbac.Roles, error)

Expand will expand built in roles, and fetch custom roles from the database. If a custom role is defined, but does not exist, the role will be omitted on the response. This means deleted roles are silently dropped.

func IsSystemRoleName ¶ added in v2.32.0

func IsSystemRoleName(name string) bool

func ReconcileSystemRole ¶ added in v2.32.0

func ReconcileSystemRole(
	ctx context.Context,
	tx database.Store,
	in database.CustomRole,
	org database.Organization,
) (database.CustomRole, bool, error)

ReconcileSystemRole compares the given role's permissions against the desired permissions produced by the permissions function based on the organization's settings. If they differ, the DB row is updated. Uses set-based comparison so permission ordering doesn't matter. Returns the correct role and a boolean indicating whether the reconciliation was necessary.

IMPORTANT: Callers must hold database.LockIDReconcileSystemRoles for the duration of the enclosing transaction.

func ReconcileSystemRoles ¶ added in v2.30.0

func ReconcileSystemRoles(ctx context.Context, log slog.Logger, db database.Store) error

ReconcileSystemRoles ensures that every organization's system roles in the DB are up-to-date with the current RBAC definitions and organization settings.