feat: beta version of role management for single user

2025-07-20 17:59:54 +02:00
parent 533e6ea6af
commit d35e5813b5
16 changed files with 680 additions and 177 deletions
--- a/internal/admin/roles.go
+++ b/internal/admin/roles.go
@ -7,6 +7,8 @@ import (

 	"gitea.local/admin/hspguard/internal/repository"
 	"gitea.local/admin/hspguard/internal/web"
+	"github.com/go-chi/chi/v5"
+	"github.com/google/uuid"
 )

 func (h *AdminHandler) GetAllRoles(w http.ResponseWriter, r *http.Request) {
@ -59,3 +61,96 @@ func (h *AdminHandler) GetAllRoles(w http.ResponseWriter, r *http.Request) {
 		web.Error(w, "failed to encode response", http.StatusInternalServerError)
 	}
 }
+
+func (h *AdminHandler) GetUserRoles(w http.ResponseWriter, r *http.Request) {
+	userId := chi.URLParam(r, "user_id")
+
+	parsed, err := uuid.Parse(userId)
+	if err != nil {
+		log.Printf("ERR: Received invalid UUID on get user roles '%s': %v\n", userId, err)
+		web.Error(w, "invalid user id", http.StatusBadRequest)
+		return
+	}
+
+	rows, err := h.repo.GetUserRoles(r.Context(), parsed)
+	if err != nil {
+		log.Println("ERR: Failed to list roles from db:", err)
+		web.Error(w, "failed to get user roles", http.StatusInternalServerError)
+		return
+	}
+
+	if len(rows) == 0 {
+		rows = make([]repository.Role, 0)
+	}
+
+	encoder := json.NewEncoder(w)
+
+	w.Header().Set("Content-Type", "application/json")
+
+	if err := encoder.Encode(rows); err != nil {
+		web.Error(w, "failed to encode response", http.StatusInternalServerError)
+	}
+}
+
+type AssignRoleRequest struct {
+	RoleKey string `json:"role_key"`
+}
+
+func (h *AdminHandler) AssignUserRole(w http.ResponseWriter, r *http.Request) {
+	userId := chi.URLParam(r, "user_id")
+
+	var req AssignRoleRequest
+
+	decoder := json.NewDecoder(r.Body)
+
+	if err := decoder.Decode(&req); err != nil {
+		web.Error(w, "failed to parse request body", http.StatusBadRequest)
+		return
+	}
+
+	if req.RoleKey == "" {
+		web.Error(w, "role key is required for assign", http.StatusBadRequest)
+		return
+	}
+
+	parsed, err := uuid.Parse(userId)
+	if err != nil {
+		log.Printf("ERR: Failed to parse provided user ID '%s': %v\n", userId, err)
+		web.Error(w, "invalid user id provided", http.StatusBadRequest)
+		return
+	}
+
+	user, err := h.repo.FindUserId(r.Context(), parsed)
+	if err != nil {
+		web.Error(w, "no user found under provided id", http.StatusBadRequest)
+		return
+	}
+
+	if _, err := h.repo.FindUserRole(r.Context(), repository.FindUserRoleParams{
+		UserID: user.ID,
+		Key:    req.RoleKey,
+	}); err == nil {
+		log.Printf("INFO: Unassigning role '%s' for user with '%s' id", req.RoleKey, user.ID.String())
+		// Unassign Role
+		if err := h.repo.UnassignUserRole(r.Context(), repository.UnassignUserRoleParams{
+			UserID: user.ID,
+			Key:    req.RoleKey,
+		}); err != nil {
+			log.Printf("ERR: Failed to unassign role '%s' from user with '%s' id: %v\n", req.RoleKey, user.ID.String(), err)
+			web.Error(w, "failed to unassign role to user", http.StatusInternalServerError)
+			return
+		}
+	} else {
+		log.Printf("INFO: Assigning role '%s' for user with '%s' id", req.RoleKey, user.ID.String())
+		if err := h.repo.AssignUserRole(r.Context(), repository.AssignUserRoleParams{
+			UserID: user.ID,
+			Key:    req.RoleKey,
+		}); err != nil {
+			log.Printf("ERR: Failed to assign role '%s' to user with '%s' id: %v\n", req.RoleKey, user.ID.String(), err)
+			web.Error(w, "failed to assign role to user", http.StatusInternalServerError)
+			return
+		}
+	}
+
+	w.WriteHeader(http.StatusOK)
+}
--- a/internal/admin/routes.go
+++ b/internal/admin/routes.go
@ -46,6 +46,8 @@ func (h *AdminHandler) RegisterRoutes(router chi.Router) {
 		r.Get("/permissions/{user_id}", h.GetUserPermissions)

 		r.Get("/roles", h.GetAllRoles)
+		r.Get("/roles/{user_id}", h.GetUserRoles)
+		r.Patch("/roles/{user_id}", h.AssignUserRole)
 	})

 	router.Get("/api-services/client/{client_id}", h.GetApiServiceCID)
--- a/internal/repository/models.go
+++ b/internal/repository/models.go
@ -25,22 +25,6 @@ type ApiService struct {
 	IconUrl      *string   `json:"icon_url"`
 }

-type Group struct {
-	ID          uuid.UUID `json:"id"`
-	Name        string    `json:"name"`
-	Description *string   `json:"description"`
-}
-
-type GroupPermission struct {
-	GroupID      uuid.UUID `json:"group_id"`
-	PermissionID uuid.UUID `json:"permission_id"`
-}
-
-type GroupRole struct {
-	GroupID uuid.UUID `json:"group_id"`
-	RoleID  uuid.UUID `json:"role_id"`
-}
-
 type Permission struct {
 	ID          uuid.UUID `json:"id"`
 	Name        string    `json:"name"`
@ -95,11 +79,6 @@ type User struct {
 	Verified       bool       `json:"verified"`
 }

-type UserGroup struct {
-	UserID  uuid.UUID `json:"user_id"`
-	GroupID uuid.UUID `json:"group_id"`
-}
-
 type UserPermission struct {
 	UserID       uuid.UUID `json:"user_id"`
 	PermissionID uuid.UUID `json:"permission_id"`
--- a/internal/repository/permissions.sql.go
+++ b/internal/repository/permissions.sql.go
@ -123,32 +123,13 @@ func (q *Queries) GetGroupedPermissions(ctx context.Context) ([]GetGroupedPermis

 const getUserPermissions = `-- name: GetUserPermissions :many
 SELECT DISTINCT p.id,p.name,p.scope,p.description
-FROM permissions p
-LEFT JOIN role_permissions rp_user
-    ON p.id = rp_user.permission_id
-LEFT JOIN user_roles ur
-    ON rp_user.role_id = ur.role_id AND ur.user_id = $1
-LEFT JOIN user_groups ug
-    ON ug.user_id = $1
-LEFT JOIN group_roles gr
-    ON ug.group_id = gr.group_id
-LEFT JOIN role_permissions rp_group
-    ON gr.role_id = rp_group.role_id AND rp_group.permission_id = p.id
-LEFT JOIN user_permissions up
-    ON up.user_id = $1 AND up.permission_id = p.id
-LEFT JOIN group_permissions gp
-    ON gp.group_id = ug.group_id AND gp.permission_id = p.id
-WHERE ur.user_id IS NOT NULL
-   OR gr.group_id IS NOT NULL
-   OR up.user_id IS NOT NULL
-   OR gp.group_id IS NOT NULL
+FROM user_roles ur
+JOIN role_permissions rp ON ur.role_id = rp.role_id
+JOIN permissions p ON rp.permission_id = p.id
+WHERE ur.user_id = $1
 ORDER BY p.scope
 `

-// From roles assigned directly to the user
-// From roles assigned to user's groups
-// Direct permissions to user
-// Direct permissions to user's groups
 func (q *Queries) GetUserPermissions(ctx context.Context, userID uuid.UUID) ([]Permission, error) {
 	rows, err := q.db.Query(ctx, getUserPermissions, userID)
 	if err != nil {
--- a/internal/repository/roles.sql.go
+++ b/internal/repository/roles.sql.go
@ -56,6 +56,25 @@ func (q *Queries) AssignRolePermission(ctx context.Context, arg AssignRolePermis
 	return err
 }

+const assignUserRole = `-- name: AssignUserRole :exec
+INSERT INTO user_roles (user_id, role_id)
+VALUES ($1, (
+    SELECT id FROM roles r
+    WHERE r.scope = split_part($2, '_', 1)
+          AND r.name = right($2, length($2) - position('_' IN $2))
+))
+`
+
+type AssignUserRoleParams struct {
+	UserID uuid.UUID `json:"user_id"`
+	Key    string    `json:"key"`
+}
+
+func (q *Queries) AssignUserRole(ctx context.Context, arg AssignUserRoleParams) error {
+	_, err := q.db.Exec(ctx, assignUserRole, arg.UserID, arg.Key)
+	return err
+}
+
 const createRole = `-- name: CreateRole :one
 INSERT INTO roles (name, scope, description)
 VALUES ($1, $2, $3)
@ -103,6 +122,24 @@ func (q *Queries) FindRole(ctx context.Context, arg FindRoleParams) (Role, error
 	return i, err
 }

+const findUserRole = `-- name: FindUserRole :one
+SELECT user_id, role_id FROM user_roles
+WHERE user_id = $1 AND role_id = (SELECT id FROM roles r WHERE r.scope = split_part($2, '_', 1) AND r.name = right($2, length($2) - position('_' IN $2)))
+LIMIT 1
+`
+
+type FindUserRoleParams struct {
+	UserID uuid.UUID `json:"user_id"`
+	Key    string    `json:"key"`
+}
+
+func (q *Queries) FindUserRole(ctx context.Context, arg FindUserRoleParams) (UserRole, error) {
+	row := q.db.QueryRow(ctx, findUserRole, arg.UserID, arg.Key)
+	var i UserRole
+	err := row.Scan(&i.UserID, &i.RoleID)
+	return i, err
+}
+
 const getRoleAssignment = `-- name: GetRoleAssignment :one
 SELECT role_id, permission_id FROM role_permissions
 WHERE role_id = $1 AND permission_id = (SELECT id FROM permissions p WHERE p.scope = split_part($2, '_', 1) AND p.name = right($2, length($2) - position('_' IN $2)))
@ -130,6 +167,8 @@ SELECT
            r.id,
            'name',
            r.name,
+            'scope',
+            r.scope,
            'description',
            r.description,
            'permissions',
@ -191,3 +230,53 @@ func (q *Queries) GetRolesGroupedWithPermissions(ctx context.Context) ([]GetRole
 	}
 	return items, nil
 }
+
+const getUserRoles = `-- name: GetUserRoles :many
+SELECT r.id, r.name, r.scope, r.description FROM roles r
+JOIN user_roles ur ON r.id = ur.role_id
+WHERE ur.user_id = $1
+`
+
+func (q *Queries) GetUserRoles(ctx context.Context, userID uuid.UUID) ([]Role, error) {
+	rows, err := q.db.Query(ctx, getUserRoles, userID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []Role
+	for rows.Next() {
+		var i Role
+		if err := rows.Scan(
+			&i.ID,
+			&i.Name,
+			&i.Scope,
+			&i.Description,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const unassignUserRole = `-- name: UnassignUserRole :exec
+DELETE FROM user_roles
+WHERE user_id = $1 AND role_id = (
+    SELECT id FROM roles r
+    WHERE r.scope = split_part($2, '_', 1)
+          AND r.name = right($2, length($2) - position('_' IN $2))
+)
+`
+
+type UnassignUserRoleParams struct {
+	UserID uuid.UUID `json:"user_id"`
+	Key    string    `json:"key"`
+}
+
+func (q *Queries) UnassignUserRole(ctx context.Context, arg UnassignUserRoleParams) error {
+	_, err := q.db.Exec(ctx, unassignUserRole, arg.UserID, arg.Key)
+	return err
+}