access

package
v0.0.0-...-d0c5d8f Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 14, 2026 License: AGPL-3.0 Imports: 35 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Attach 

func Attach(mux goahttp.Muxer, service *Service)

Types

type FeatureCacheWriter 

type FeatureCacheWriter interface {
	UpdateFeatureCache(ctx context.Context, organizationID string, feature productfeatures.Feature, enabled bool)
}

FeatureCacheWriter updates the Redis cache entry for a feature flag after a direct DB write, keeping the cache consistent with the authoritative state.

type RoleProvider 

type RoleProvider interface {
	ListRoles(ctx context.Context, orgID string) ([]workos.Role, error)
	CreateRole(ctx context.Context, orgID string, opts workos.CreateRoleOpts) (*workos.Role, error)
	UpdateRole(ctx context.Context, orgID string, roleSlug string, opts workos.UpdateRoleOpts) (*workos.Role, error)
	DeleteRole(ctx context.Context, orgID string, roleSlug string) error
	ListMembers(ctx context.Context, orgID string) ([]workos.Member, error)
	UpdateMemberRole(ctx context.Context, membershipID string, roleSlug string) (*workos.Member, error)
	GetUser(ctx context.Context, userID string) (*workos.User, error)
	ListOrgUsers(ctx context.Context, orgID string) (map[string]workos.User, error)
	GetOrgMembership(ctx context.Context, workOSUserID, workOSOrgID string) (*workos.Member, error)
}

type Service 

type Service struct {
	// contains filtered or unexported fields
}

func NewService 

func NewService(
	logger *slog.Logger,
	tracerProvider trace.TracerProvider,
	db *pgxpool.Pool,
	chConn driver.Conn,
	sessions *sessions.Manager,
	roles RoleProvider,
	authz *authz.Engine,
	featureCache FeatureCacheWriter,
	auditLogger *audit.Logger,
) *Service

func (*Service) APIKeyAuth 

func (s *Service) APIKeyAuth(ctx context.Context, key string, schema *security.APIKeyScheme) (context.Context, error)

func (*Service) CreateRole 

func (s *Service) CreateRole(ctx context.Context, payload *gen.CreateRolePayload) (*gen.Role, error)

CreateRole creates a role for a user of a given organization. It is an idempotent operation intentionally ordered so that member assignment happens last. If WorkOS role creation succeeds but local grant sync fails, we return an error with no users assigned to the new role. That leaves a partially created role behind, but keeps the outcome safe and retryable: repeating the request can finish configuration without having granted accidental access.

func (*Service) DeleteRole 

func (s *Service) DeleteRole(ctx context.Context, payload *gen.DeleteRolePayload) error

DeleteRole removes local grants before deleting the WorkOS role so retries can still complete cleanup if the external delete fails.

func (*Service) DisableRBAC 

func (s *Service) DisableRBAC(ctx context.Context, _ *gen.DisableRBACPayload) error

func (*Service) EnableRBAC 

func (s *Service) EnableRBAC(ctx context.Context, _ *gen.EnableRBACPayload) error

func (*Service) GetRBACStatus 

func (s *Service) GetRBACStatus(ctx context.Context, _ *gen.GetRBACStatusPayload) (*gen.RBACStatus, error)

func (*Service) GetRole 

func (s *Service) GetRole(ctx context.Context, payload *gen.GetRolePayload) (*gen.Role, error)

GetRole returns the WorkOS role definition enriched with Gram's local grant state so callers see the complete effective role configuration in one place.

func (*Service) ListChallengeBuckets 

func (s *Service) ListChallengeBuckets(ctx context.Context, payload *gen.ListChallengeBucketsPayload) (*gen.ListChallengeBucketsResult, error)

func (*Service) ListChallenges 

func (s *Service) ListChallenges(ctx context.Context, payload *gen.ListChallengesPayload) (*gen.ListChallengesResult, error)

func (*Service) ListGrants 

func (s *Service) ListGrants(ctx context.Context, _ *gen.ListGrantsPayload) (*gen.ListUserGrantsResult, error)

ListGrants returns the effective grants for the current user by combining direct user grants with grants inherited from their currently assigned role.

func (*Service) ListMembers 

func (s *Service) ListMembers(ctx context.Context, _ *gen.ListMembersPayload) (*gen.ListMembersResult, error)

ListMembers follows the original access API contract by returning WorkOS user identifiers while decorating them with the role information the UI needs.

func (*Service) ListRoles 

func (s *Service) ListRoles(ctx context.Context, _ *gen.ListRolesPayload) (*gen.ListRolesResult, error)

ListRoles treats WorkOS as the source of truth for role records while Gram remains the source of truth for role grants.

func (*Service) ListScopes 

func (s *Service) ListScopes(ctx context.Context, _ *gen.ListScopesPayload) (*gen.ListScopesResult, error)

ListScopes exposes the stable set of grantable scopes so clients can build role editing UX without hardcoding permission definitions.

func (*Service) ResolveChallenge 

func (s *Service) ResolveChallenge(ctx context.Context, payload *gen.ResolveChallengePayload) (*gen.ResolveChallengesResult, error)

func (*Service) UpdateMemberRole 

func (s *Service) UpdateMemberRole(ctx context.Context, payload *gen.UpdateMemberRolePayload) (*gen.AccessMember, error)

UpdateMemberRole is intentionally stricter than member listing: it only mutates access for users Gram knows are connected to the local organization.

func (*Service) UpdateRole 

func (s *Service) UpdateRole(ctx context.Context, payload *gen.UpdateRolePayload) (*gen.Role, error)

UpdateRole preserves the same split of responsibilities as creation: WorkOS owns role identity and membership, while Gram owns the role's grant set.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.