feat: create system roles

internal/user/permissions.go

@@ -2,6 +2,7 @@ package user
 
 import (
 	"context"
+	"fmt"
 	"log"
 
 	"gitea.local/admin/hspguard/internal/repository"
@@ -11,6 +12,11 @@ func String(s string) *string {
 	return &s
 }
 
+type RolePermissions struct {
+	Permissions []string `json:"permissions"`
+	repository.Role
+}
+
 var (
 	SYSTEM_SCOPE       string                  = "system"
 	SYSTEM_PERMISSIONS []repository.Permission = []repository.Permission{
@@ -46,6 +52,111 @@ var (
 			Name:        "revoke_sessions",
 			Description: String("Allow users to revoke their active sessions"),
 		},
+		{
+			Name:        "view_api_services",
+			Description: String("Allow users to view API Services (for admin)"),
+		},
+		{
+			Name:        "add_api_services",
+			Description: String("Allow users to register new API Services (for admin)"),
+		},
+		{
+			Name:        "edit_api_services",
+			Description: String("Allow users to edit API Services (for admin)"),
+		},
+		{
+			Name:        "remove_api_services",
+			Description: String("Allow users to remove API Services (for admin)"),
+		},
+		{
+			Name:        "view_users",
+			Description: String("Allow users to view other users (for admin)"),
+		},
+		{
+			Name:        "add_users",
+			Description: String("Allow users to create new users (for admin)"),
+		},
+		// TODO: block, delete users
+		{
+			Name:        "view_user_sessions",
+			Description: String("Allow users to view user sessions (for admin)"),
+		},
+		{
+			Name:        "revoke_user_sessions",
+			Description: String("Allow users to revoke user sessions (for admin)"),
+		},
+		{
+			Name:        "view_service_sessions",
+			Description: String("Allow users to view service sessions (for admin)"),
+		},
+		{
+			Name:        "revoke_service_sessions",
+			Description: String("Allow users to revoke service sessions (for admin)"),
+		},
+		{
+			Name:        "view_permissions",
+			Description: String("Allow users to view all permissions (for admin)"),
+		},
+		{
+			Name:        "view_roles_groups",
+			Description: String("Allow users to view roles & groups (for admin)"),
+		},
+	}
+	SYSTEM_ROLES []RolePermissions = []RolePermissions{
+		{
+			Permissions: []string{
+				"system_log_into_guard",
+				"system_register",
+				"system_edit_profile",
+				"system_recover_credentials",
+				"system_verify_profile",
+				"system_access_home_services",
+				"system_view_sessions",
+				"system_revoke_sessions",
+				"system_view_api_services",
+				"system_add_api_services",
+				"system_edit_api_services",
+				"system_remove_api_services",
+				"system_view_users",
+				"system_add_users",
+				"system_view_user_sessions",
+				"system_revoke_user_sessions",
+				"system_view_service_sessions",
+				"system_revoke_service_sessions",
+				"system_view_permissions",
+				"system_view_roles_groups",
+			},
+			Role: repository.Role{
+				Name:        "admin",
+				Description: String("User with full power"),
+			},
+		},
+		{
+			Permissions: []string{
+				"system_log_into_guard",
+				"system_register",
+				"system_edit_profile",
+				"system_recover_credentials",
+				"system_verify_profile",
+				"system_access_home_services",
+				"system_view_sessions",
+				"system_revoke_sessions",
+			},
+			Role: repository.Role{
+				Name:        "family_member",
+				Description: String("User that is able to use home services"),
+			},
+		},
+		{
+			Permissions: []string{
+				"system_log_into_guard",
+				"system_register",
+			},
+			Role: repository.Role{
+				Name:        "guest",
+				Description: String("New user that needs approve for everything from admin"),
+			},
+		},
 	}
 )
 
@@ -67,4 +178,35 @@ func EnsureSystemPermissions(ctx context.Context, repo *repository.Queries) {
 			}
 		}
 	}
+
+	for _, role := range SYSTEM_ROLES {
+		found, err := repo.FindRole(ctx, repository.FindRoleParams{
+			Scope: SYSTEM_SCOPE,
+			Name:  role.Name,
+		})
+		if err != nil {
+			log.Printf("INFO: Create new SYSTEM role '%s'\n", role.Name)
+			found, err = repo.CreateRole(ctx, repository.CreateRoleParams{
+				Name:        role.Name,
+				Scope:       SYSTEM_SCOPE,
+				Description: role.Description,
+			})
+			if err != nil {
+				log.Fatalf("ERR: Failed to create SYSTEM role '%s': %v\n", role.Name, err)
+			}
+		}
+
+		var mappedPerms []string
+
+		for _, perm := range role.Permissions {
+			mappedPerms = append(mappedPerms, fmt.Sprintf("%s_%s", SYSTEM_SCOPE, perm))
+		}
+
+		if err := repo.AddPermissionsToRoleByKey(ctx, repository.AddPermissionsToRoleByKeyParams{
+			RoleID:         found.ID,
+			PermissionKeys: mappedPerms,
+		}); err != nil {
+			log.Fatalf("ERR: Failed to assign required permissions to SYSTEM role %s: %v\n", found.Name, err)
+		}
+	}
 }