105 lines
2.8 KiB
Go
105 lines
2.8 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"tss-rocks-be/ent"
|
|
"tss-rocks-be/ent/permission"
|
|
"tss-rocks-be/ent/role"
|
|
)
|
|
|
|
type RBACService struct {
|
|
client *ent.Client
|
|
}
|
|
|
|
func NewRBACService(client *ent.Client) *RBACService {
|
|
return &RBACService{
|
|
client: client,
|
|
}
|
|
}
|
|
|
|
// InitializeRBAC sets up the initial RBAC configuration
|
|
func (s *RBACService) InitializeRBAC(ctx context.Context) error {
|
|
// Create admin role if it doesn't exist
|
|
adminRole, err := s.client.Role.Query().
|
|
Where(role.Name("admin")).
|
|
Only(ctx)
|
|
if ent.IsNotFound(err) {
|
|
adminRole, err = s.client.Role.Create().
|
|
SetName("admin").
|
|
Save(ctx)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create admin role: %w", err)
|
|
}
|
|
} else if err != nil {
|
|
return fmt.Errorf("failed to query admin role: %w", err)
|
|
}
|
|
|
|
// Create editor role if it doesn't exist
|
|
editorRole, err := s.client.Role.Query().
|
|
Where(role.Name("editor")).
|
|
Only(ctx)
|
|
if ent.IsNotFound(err) {
|
|
editorRole, err = s.client.Role.Create().
|
|
SetName("editor").
|
|
Save(ctx)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create editor role: %w", err)
|
|
}
|
|
} else if err != nil {
|
|
return fmt.Errorf("failed to query editor role: %w", err)
|
|
}
|
|
|
|
// Define permissions
|
|
permissions := []struct {
|
|
role *ent.Role
|
|
resource string
|
|
actions []string
|
|
}{
|
|
{adminRole, "users", []string{"create", "read", "update", "delete", "assign_role"}},
|
|
{adminRole, "roles", []string{"create", "read", "update", "delete"}},
|
|
{adminRole, "media", []string{"create", "read", "update", "delete"}},
|
|
{adminRole, "posts", []string{"create", "read", "update", "delete"}},
|
|
{adminRole, "categories", []string{"create", "read", "update", "delete"}},
|
|
{adminRole, "contributors", []string{"create", "read", "update", "delete"}},
|
|
{adminRole, "dailies", []string{"create", "read", "update", "delete"}},
|
|
|
|
{editorRole, "media", []string{"create", "read", "update"}},
|
|
{editorRole, "posts", []string{"create", "read", "update"}},
|
|
{editorRole, "categories", []string{"read"}},
|
|
{editorRole, "contributors", []string{"read"}},
|
|
{editorRole, "dailies", []string{"create", "read", "update"}},
|
|
}
|
|
|
|
// Create permissions for each role
|
|
for _, p := range permissions {
|
|
for _, action := range p.actions {
|
|
// Check if permission already exists
|
|
exists, err := s.client.Permission.Query().
|
|
Where(
|
|
permission.Resource(p.resource),
|
|
permission.Action(action),
|
|
permission.HasRolesWith(role.ID(p.role.ID)),
|
|
).
|
|
Exist(ctx)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to query permission: %w", err)
|
|
}
|
|
|
|
if !exists {
|
|
// Create permission and associate it with the role
|
|
_, err = s.client.Permission.Create().
|
|
SetResource(p.resource).
|
|
SetAction(action).
|
|
AddRoles(p.role).
|
|
Save(ctx)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create permission: %w", err)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|