accesscontrol

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 12, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// Asset ownership errors
	ErrAssetOwnerNotFound   = fmt.Errorf("%w: asset owner not found", shared.ErrNotFound)
	ErrAssetOwnerExists     = fmt.Errorf("%w: asset ownership already exists", shared.ErrAlreadyExists)
	ErrLastPrimaryOwner     = fmt.Errorf("%w: cannot remove the last primary owner", shared.ErrValidation)
	ErrInvalidOwnershipType = fmt.Errorf("%w: invalid ownership type", shared.ErrValidation)

	// Group permission errors
	ErrGroupPermissionNotFound = fmt.Errorf("%w: group permission not found", shared.ErrNotFound)
	ErrGroupPermissionExists   = fmt.Errorf("%w: group permission already exists", shared.ErrAlreadyExists)
	ErrInvalidPermissionEffect = fmt.Errorf("%w: invalid permission effect", shared.ErrValidation)

	// Assignment rule errors
	ErrAssignmentRuleNotFound = fmt.Errorf("%w: assignment rule not found", shared.ErrNotFound)
	ErrAssignmentRuleInactive = fmt.Errorf("%w: assignment rule is inactive", shared.ErrValidation)
	ErrNoMatchingRule         = fmt.Errorf("%w: no matching assignment rule found", shared.ErrNotFound)
	ErrTargetGroupNotFound    = fmt.Errorf("%w: target group not found", shared.ErrNotFound)
	ErrTargetGroupInactive    = fmt.Errorf("%w: target group is inactive", shared.ErrValidation)

	// Permission resolution errors
	ErrCircularPermissionChain = fmt.Errorf("%w: circular permission set inheritance detected", shared.ErrValidation)
	ErrPermissionResolution    = fmt.Errorf("%w: failed to resolve permissions", shared.ErrInternal)

	// Access errors
	ErrAccessDenied           = fmt.Errorf("%w: access denied", shared.ErrForbidden)
	ErrInsufficientPermission = fmt.Errorf("%w: insufficient permissions", shared.ErrForbidden)
	ErrAssetAccessDenied      = fmt.Errorf("%w: access to asset denied", shared.ErrForbidden)
)

Domain errors for access control.

Functions

func IsAccessDenied 

func IsAccessDenied(err error) bool

IsAccessDenied checks if the error is an access denied error.

func IsAssetOwnerExists 

func IsAssetOwnerExists(err error) bool

IsAssetOwnerExists checks if the error is an asset owner exists error.

func IsAssetOwnerNotFound 

func IsAssetOwnerNotFound(err error) bool

IsAssetOwnerNotFound checks if the error is an asset owner not found error.

func IsAssignmentRuleNotFound 

func IsAssignmentRuleNotFound(err error) bool

IsAssignmentRuleNotFound checks if the error is an assignment rule not found error.

func IsInsufficientPermission 

func IsInsufficientPermission(err error) bool

IsInsufficientPermission checks if the error is an insufficient permission error.

Types

type AssetOwner 

type AssetOwner struct {
	// contains filtered or unexported fields
}

AssetOwner represents ownership of an asset by a group or user. Either groupID or userID must be set (but not both).

func NewAssetOwner 

func NewAssetOwner(assetID, groupID shared.ID, ownershipType OwnershipType, assignedBy *shared.ID) (*AssetOwner, error)

NewAssetOwner creates a new asset owner relationship (legacy - defaults to group ownership). Deprecated: Use NewAssetOwnerForGroup or NewAssetOwnerForUser instead.

func NewAssetOwnerForGroup 

func NewAssetOwnerForGroup(assetID, groupID shared.ID, ownershipType OwnershipType, assignedBy *shared.ID) (*AssetOwner, error)

NewAssetOwnerForGroup creates a new asset owner relationship for a group.

func NewAssetOwnerForUser 

func NewAssetOwnerForUser(assetID, userID shared.ID, ownershipType OwnershipType, assignedBy *shared.ID) (*AssetOwner, error)

NewAssetOwnerForUser creates a new asset owner relationship for a user (direct ownership).

func ReconstituteAssetOwner 

func ReconstituteAssetOwner(
	id shared.ID,
	assetID shared.ID,
	groupID *shared.ID,
	userID *shared.ID,
	ownershipType OwnershipType,
	assignedAt time.Time,
	assignedBy *shared.ID,
) *AssetOwner

ReconstituteAssetOwner recreates an AssetOwner from persistence.

func (*AssetOwner) AssetID 

func (ao *AssetOwner) AssetID() shared.ID

AssetID returns the asset ID.

func (*AssetOwner) AssignedAt 

func (ao *AssetOwner) AssignedAt() time.Time

AssignedAt returns when the ownership was assigned.

func (*AssetOwner) AssignedBy 

func (ao *AssetOwner) AssignedBy() *shared.ID

AssignedBy returns who assigned the ownership.

func (*AssetOwner) GroupID 

func (ao *AssetOwner) GroupID() *shared.ID

GroupID returns the group ID (nil if user ownership).

func (*AssetOwner) HasFullAccess 

func (ao *AssetOwner) HasFullAccess() bool

HasFullAccess checks if this ownership grants full access.

func (*AssetOwner) HasViewAccess 

func (ao *AssetOwner) HasViewAccess() bool

HasViewAccess checks if this ownership grants view access.

func (*AssetOwner) ID 

func (ao *AssetOwner) ID() shared.ID

ID returns the owner record ID.

func (*AssetOwner) IsGroupOwnership 

func (ao *AssetOwner) IsGroupOwnership() bool

IsGroupOwnership returns true if this is group-level ownership.

func (*AssetOwner) IsUserOwnership 

func (ao *AssetOwner) IsUserOwnership() bool

IsUserOwnership returns true if this is direct user-level ownership.

func (*AssetOwner) OwnershipType 

func (ao *AssetOwner) OwnershipType() OwnershipType

OwnershipType returns the ownership type.

func (*AssetOwner) UpdateOwnershipType 

func (ao *AssetOwner) UpdateOwnershipType(ownershipType OwnershipType) error

UpdateOwnershipType updates the ownership type.

func (*AssetOwner) UserID 

func (ao *AssetOwner) UserID() *shared.ID

UserID returns the user ID (nil if group ownership).

type AssetWithOwners 

type AssetWithOwners struct {
	AssetID shared.ID
	Owners  []*AssetOwner
}

AssetWithOwners represents an asset with its ownership information.

type AssignmentConditions 

type AssignmentConditions struct {
	AssetTypes      []string `json:"asset_type,omitempty"`
	FilePathPattern string   `json:"file_path_pattern,omitempty"`
	FindingSeverity []string `json:"finding_severity,omitempty"`
	FindingType     []string `json:"finding_type,omitempty"`
	FindingSource   []string `json:"finding_source,omitempty"`
	AssetTags       []string `json:"asset_tags,omitempty"`
}

AssignmentConditions represents conditions for auto-assignment rules.

type AssignmentOptions 

type AssignmentOptions struct {
	NotifyGroup        bool   `json:"notify_group,omitempty"`
	SetFindingPriority string `json:"set_finding_priority,omitempty"`
}

AssignmentOptions represents options for assignment rules.

type AssignmentRule 

type AssignmentRule struct {
	// contains filtered or unexported fields
}

AssignmentRule represents an auto-routing rule for findings.

func NewAssignmentRule 

func NewAssignmentRule(
	tenantID shared.ID,
	name string,
	conditions AssignmentConditions,
	targetGroupID shared.ID,
	createdBy *shared.ID,
) (*AssignmentRule, error)

NewAssignmentRule creates a new assignment rule.

func ReconstituteAssignmentRule 

func ReconstituteAssignmentRule(
	id shared.ID,
	tenantID shared.ID,
	name, description string,
	priority int,
	isActive bool,
	conditions AssignmentConditions,
	targetGroupID shared.ID,
	options AssignmentOptions,
	createdAt, updatedAt time.Time,
	createdBy *shared.ID,
) *AssignmentRule

ReconstituteAssignmentRule recreates an AssignmentRule from persistence.

func (*AssignmentRule) Activate 

func (r *AssignmentRule) Activate()

Activate activates the rule.

func (*AssignmentRule) Conditions 

func (r *AssignmentRule) Conditions() AssignmentConditions

Conditions returns the matching conditions.

func (*AssignmentRule) CreatedAt 

func (r *AssignmentRule) CreatedAt() time.Time

CreatedAt returns the creation timestamp.

func (*AssignmentRule) CreatedBy 

func (r *AssignmentRule) CreatedBy() *shared.ID

CreatedBy returns who created this rule.

func (*AssignmentRule) Deactivate 

func (r *AssignmentRule) Deactivate()

Deactivate deactivates the rule.

func (*AssignmentRule) Description 

func (r *AssignmentRule) Description() string

Description returns the rule description.

func (*AssignmentRule) ID 

func (r *AssignmentRule) ID() shared.ID

ID returns the rule ID.

func (*AssignmentRule) IsActive 

func (r *AssignmentRule) IsActive() bool

IsActive returns whether the rule is active.

func (*AssignmentRule) Name 

func (r *AssignmentRule) Name() string

Name returns the rule name.

func (*AssignmentRule) Options 

func (r *AssignmentRule) Options() AssignmentOptions

Options returns the rule options.

func (*AssignmentRule) Priority 

func (r *AssignmentRule) Priority() int

Priority returns the rule priority (higher = evaluated first).

func (*AssignmentRule) TargetGroupID 

func (r *AssignmentRule) TargetGroupID() shared.ID

TargetGroupID returns the target group ID.

func (*AssignmentRule) TenantID 

func (r *AssignmentRule) TenantID() shared.ID

TenantID returns the tenant ID.

func (*AssignmentRule) UpdateConditions 

func (r *AssignmentRule) UpdateConditions(conditions AssignmentConditions)

UpdateConditions updates the matching conditions.

func (*AssignmentRule) UpdateDescription 

func (r *AssignmentRule) UpdateDescription(description string)

UpdateDescription updates the rule description.

func (*AssignmentRule) UpdateName 

func (r *AssignmentRule) UpdateName(name string) error

UpdateName updates the rule name.

func (*AssignmentRule) UpdateOptions 

func (r *AssignmentRule) UpdateOptions(options AssignmentOptions)

UpdateOptions updates the rule options.

func (*AssignmentRule) UpdatePriority 

func (r *AssignmentRule) UpdatePriority(priority int)

UpdatePriority updates the rule priority.

func (*AssignmentRule) UpdateTargetGroup 

func (r *AssignmentRule) UpdateTargetGroup(targetGroupID shared.ID) error

UpdateTargetGroup updates the target group.

func (*AssignmentRule) UpdatedAt 

func (r *AssignmentRule) UpdatedAt() time.Time

UpdatedAt returns the last update timestamp.

type AssignmentRuleFilter 

type AssignmentRuleFilter struct {
	// Status filter
	IsActive *bool

	// Target group filter
	TargetGroupID *shared.ID

	// Search
	Search string

	// Pagination
	Limit  int
	Offset int

	// Sorting
	OrderBy   string // "name", "priority", "created_at"
	OrderDesc bool
}

AssignmentRuleFilter contains filter options for listing assignment rules.

func DefaultAssignmentRuleFilter 

func DefaultAssignmentRuleFilter() AssignmentRuleFilter

DefaultAssignmentRuleFilter returns a default filter.

type EffectivePermissions 

type EffectivePermissions struct {
	Permissions []permission.Permission
	Sources     []PermissionSource
}

EffectivePermissions represents the resolved permissions for an entity.

type GroupPermission 

type GroupPermission struct {
	// contains filtered or unexported fields
}

GroupPermission represents a custom permission override for a group.

func NewGroupPermission 

func NewGroupPermission(groupID shared.ID, permissionID string, effect PermissionEffect, createdBy *shared.ID) (*GroupPermission, error)

NewGroupPermission creates a new group permission override.

func ReconstituteGroupPermission 

func ReconstituteGroupPermission(
	groupID shared.ID,
	permissionID string,
	effect PermissionEffect,
	scopeType *ScopeType,
	scopeValue *ScopeValue,
	createdAt time.Time,
	createdBy *shared.ID,
) *GroupPermission

ReconstituteGroupPermission recreates a GroupPermission from persistence.

func (*GroupPermission) CreatedAt 

func (gp *GroupPermission) CreatedAt() time.Time

CreatedAt returns when this permission was created.

func (*GroupPermission) CreatedBy 

func (gp *GroupPermission) CreatedBy() *shared.ID

CreatedBy returns who created this permission.

func (*GroupPermission) Effect 

func (gp *GroupPermission) Effect() PermissionEffect

Effect returns the permission effect.

func (*GroupPermission) GroupID 

func (gp *GroupPermission) GroupID() shared.ID

GroupID returns the group ID.

func (*GroupPermission) HasScope 

func (gp *GroupPermission) HasScope() bool

HasScope checks if this permission has a scope restriction.

func (*GroupPermission) IsAllow 

func (gp *GroupPermission) IsAllow() bool

IsAllow checks if this is an allow effect.

func (*GroupPermission) IsDeny 

func (gp *GroupPermission) IsDeny() bool

IsDeny checks if this is a deny effect.

func (*GroupPermission) PermissionID 

func (gp *GroupPermission) PermissionID() string

PermissionID returns the permission ID.

func (*GroupPermission) ScopeType 

func (gp *GroupPermission) ScopeType() *ScopeType

ScopeType returns the scope type (if any).

func (*GroupPermission) ScopeValue 

func (gp *GroupPermission) ScopeValue() *ScopeValue

ScopeValue returns the scope value (if any).

func (*GroupPermission) SetScope 

func (gp *GroupPermission) SetScope(scopeType ScopeType, scopeValue *ScopeValue) error

SetScope sets the scope for this permission.

type GroupWithAssets 

type GroupWithAssets struct {
	GroupID  shared.ID
	AssetIDs []shared.ID
}

GroupWithAssets represents a group with its owned assets.

type OwnershipType 

type OwnershipType string

OwnershipType represents the type of asset ownership. 

const (
	// OwnershipPrimary is the main owner with full access and primary responsibility.
	OwnershipPrimary OwnershipType = "primary"
	// OwnershipSecondary is a co-owner with full access and shared responsibility.
	OwnershipSecondary OwnershipType = "secondary"
	// OwnershipStakeholder has view access and receives critical notifications only.
	OwnershipStakeholder OwnershipType = "stakeholder"
	// OwnershipInformed has no access but receives summary notifications only.
	OwnershipInformed OwnershipType = "informed"
)

func AllOwnershipTypes 

func AllOwnershipTypes() []OwnershipType

AllOwnershipTypes returns all valid ownership types.

func (OwnershipType) HasFullAccess 

func (t OwnershipType) HasFullAccess() bool

HasFullAccess checks if this ownership type grants full access.

func (OwnershipType) HasViewAccess 

func (t OwnershipType) HasViewAccess() bool

HasViewAccess checks if this ownership type grants view access.

func (OwnershipType) IsValid 

func (t OwnershipType) IsValid() bool

IsValid checks if the ownership type is valid.

func (OwnershipType) ReceivesAllNotifications 

func (t OwnershipType) ReceivesAllNotifications() bool

ReceivesAllNotifications checks if this ownership type receives all notifications.

func (OwnershipType) ReceivesNotifications 

func (t OwnershipType) ReceivesNotifications() bool

ReceivesNotifications checks if this ownership type receives notifications.

func (OwnershipType) String 

func (t OwnershipType) String() string

String returns the string representation.

type PermissionEffect 

type PermissionEffect string

PermissionEffect represents the effect of a permission grant. 

const (
	// EffectAllow grants the permission.
	EffectAllow PermissionEffect = "allow"
	// EffectDeny denies the permission (overrides allow).
	EffectDeny PermissionEffect = "deny"
)

func (PermissionEffect) IsValid 

func (e PermissionEffect) IsValid() bool

IsValid checks if the effect is valid.

func (PermissionEffect) String 

func (e PermissionEffect) String() string

String returns the string representation.

type PermissionResolver 

type PermissionResolver struct{}

PermissionResolver resolves effective permissions for users and groups. It handles permission inheritance, additions, and removals.

func NewPermissionResolver 

func NewPermissionResolver() *PermissionResolver

NewPermissionResolver creates a new PermissionResolver.

func (*PermissionResolver) HasAllPermissions 

func (r *PermissionResolver) HasAllPermissions(
	ps *permissionset.PermissionSetWithItems,
	parentChain []*permissionset.PermissionSetWithItems,
	targets ...permission.Permission,
) bool

HasAllPermissions checks if a permission set grants all of the specified permissions.

func (*PermissionResolver) HasAnyPermission 

func (r *PermissionResolver) HasAnyPermission(
	ps *permissionset.PermissionSetWithItems,
	parentChain []*permissionset.PermissionSetWithItems,
	targets ...permission.Permission,
) bool

HasAnyPermission checks if a permission set grants any of the specified permissions.

func (*PermissionResolver) HasPermission 

func (r *PermissionResolver) HasPermission(
	ps *permissionset.PermissionSetWithItems,
	parentChain []*permissionset.PermissionSetWithItems,
	target permission.Permission,
) bool

HasPermission checks if a permission set grants a specific permission.

func (*PermissionResolver) ResolveGroupPermissions 

func (r *PermissionResolver) ResolveGroupPermissions(
	permissionSets []*permissionset.PermissionSetWithItems,
	parentChains map[shared.ID][]*permissionset.PermissionSetWithItems,
	customPermissions []*GroupPermission,
) []permission.Permission

ResolveGroupPermissions resolves the effective permissions for a group. It combines permissions from permission sets and custom group permissions.

func (*PermissionResolver) ResolvePermissionSetPermissions 

func (r *PermissionResolver) ResolvePermissionSetPermissions(
	ps *permissionset.PermissionSetWithItems,
	parentChain []*permissionset.PermissionSetWithItems,
) []permission.Permission

ResolvePermissionSetPermissions resolves the effective permissions for a permission set. For extended sets, it applies: Parent Permissions + Additions - Removals. For other sets, it returns the direct permissions.

func (*PermissionResolver) ResolveUserPermissions 

func (r *PermissionResolver) ResolveUserPermissions(
	groupPermissions [][]permission.Permission,
) []permission.Permission

ResolveUserPermissions resolves the effective permissions for a user. It merges permissions from all groups the user belongs to.

func (*PermissionResolver) ResolveWithSources 

func (r *PermissionResolver) ResolveWithSources(
	permissionSets []*permissionset.PermissionSetWithItems,
	parentChains map[shared.ID][]*permissionset.PermissionSetWithItems,
	customPermissions []*GroupPermission,
) *EffectivePermissions

ResolveWithSources resolves permissions and tracks their sources. This is useful for auditing and debugging permission issues.

type PermissionSource 

type PermissionSource struct {
	PermissionID     string
	SourceType       string    // "permission_set", "custom_permission"
	SourceID         shared.ID // Permission set ID or group ID
	SourceName       string    // Human-readable name
	ModificationType string    // "add", "remove", "inherited"
}

PermissionSource describes where a permission came from.

type Repository 

type Repository interface {
	// Asset Ownership
	CreateAssetOwner(ctx context.Context, ao *AssetOwner) error
	GetAssetOwner(ctx context.Context, assetID, groupID shared.ID) (*AssetOwner, error)
	UpdateAssetOwner(ctx context.Context, ao *AssetOwner) error
	DeleteAssetOwner(ctx context.Context, assetID, groupID shared.ID) error
	ListAssetOwners(ctx context.Context, assetID shared.ID) ([]*AssetOwner, error)
	ListAssetsByGroup(ctx context.Context, groupID shared.ID) ([]shared.ID, error)
	ListGroupsByAsset(ctx context.Context, assetID shared.ID) ([]shared.ID, error)
	CountAssetOwners(ctx context.Context, assetID shared.ID) (int64, error)
	HasPrimaryOwner(ctx context.Context, assetID shared.ID) (bool, error)

	// User-Asset access queries
	ListAccessibleAssets(ctx context.Context, tenantID, userID shared.ID) ([]shared.ID, error)
	CanAccessAsset(ctx context.Context, userID, assetID shared.ID) (bool, error)
	GetUserAssetAccess(ctx context.Context, userID, assetID shared.ID) (*UserAssetAccess, error)

	// Group Permissions (custom overrides)
	CreateGroupPermission(ctx context.Context, gp *GroupPermission) error
	GetGroupPermission(ctx context.Context, groupID shared.ID, permissionID string) (*GroupPermission, error)
	UpdateGroupPermission(ctx context.Context, gp *GroupPermission) error
	DeleteGroupPermission(ctx context.Context, groupID shared.ID, permissionID string) error
	ListGroupPermissions(ctx context.Context, groupID shared.ID) ([]*GroupPermission, error)
	ListGroupPermissionsByEffect(ctx context.Context, groupID shared.ID, effect PermissionEffect) ([]*GroupPermission, error)

	// Assignment Rules
	CreateAssignmentRule(ctx context.Context, rule *AssignmentRule) error
	GetAssignmentRule(ctx context.Context, id shared.ID) (*AssignmentRule, error)
	UpdateAssignmentRule(ctx context.Context, rule *AssignmentRule) error
	DeleteAssignmentRule(ctx context.Context, id shared.ID) error
	ListAssignmentRules(ctx context.Context, tenantID shared.ID, filter AssignmentRuleFilter) ([]*AssignmentRule, error)
	CountAssignmentRules(ctx context.Context, tenantID shared.ID, filter AssignmentRuleFilter) (int64, error)
	ListActiveRulesByPriority(ctx context.Context, tenantID shared.ID) ([]*AssignmentRule, error)

	// Materialized view operations
	RefreshUserAccessibleAssets(ctx context.Context) error
}

Repository defines the interface for access control persistence.

type ScopeType 

type ScopeType string

ScopeType represents the type of permission scope. 

const (
	// ScopeAll applies to all resources.
	ScopeAll ScopeType = "all"
	// ScopeOwnedAssets applies only to assets owned by the group.
	ScopeOwnedAssets ScopeType = "owned_assets"
	// ScopeAssetType applies to specific asset types.
	ScopeAssetType ScopeType = "asset_type"
	// ScopeAssetTags applies to assets with specific tags.
	ScopeAssetTags ScopeType = "asset_tags"
	// ScopeSeverity applies to findings with specific severity levels.
	ScopeSeverity ScopeType = "severity"
)

func AllScopeTypes 

func AllScopeTypes() []ScopeType

AllScopeTypes returns all valid scope types.

func (ScopeType) IsValid 

func (s ScopeType) IsValid() bool

IsValid checks if the scope type is valid.

func (ScopeType) String 

func (s ScopeType) String() string

String returns the string representation.

type ScopeValue 

type ScopeValue struct {
	AssetTypes  []string `json:"asset_types,omitempty"`
	Tags        []string `json:"tags,omitempty"`
	MinSeverity string   `json:"min_severity,omitempty"`
}

ScopeValue represents the configuration for a scope.

type UserAccessibleAsset 

type UserAccessibleAsset struct {
	AssetID       shared.ID
	OwnershipType OwnershipType
	TenantID      shared.ID
}

UserAccessibleAsset represents an asset accessible by a user.

type UserAssetAccess 

type UserAssetAccess struct {
	UserID        shared.ID
	AssetID       shared.ID
	OwnershipType OwnershipType
	GroupID       shared.ID
	GroupName     string
}

UserAssetAccess represents a user's access to an asset.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.