service backend

api/pkg/model/auth.go

@@ -0,0 +1,84 @@
+package model
+
+import (
+	"github.com/tech/sendico/pkg/db/storable"
+	"github.com/tech/sendico/pkg/mservice"
+	"go.mongodb.org/mongo-driver/bson/primitive"
+)
+
+// Action represents a permissible action on a resource.
+type Action string
+
+// Common actions for resources.
+const (
+	ActionCreate Action = "create" // Create a resource
+	ActionRead   Action = "read"   // Read or view a resource
+	ActionUpdate Action = "update" // Update or modify a resource
+	ActionDelete Action = "delete" // Delete a resource
+)
+
+// Effect determines whether an action is allowed or denied.
+type Effect string
+
+const (
+	EffectAllow Effect = "allow" // Permit the action
+	EffectDeny  Effect = "deny"  // Deny the action
+)
+
+// RoleDescription provides metadata about a role.
+type RoleDescription struct {
+	storable.Base   `bson:",inline" json:",inline"` // Base fields for MongoDB documents
+	Describable     `bson:",inline" json:",inline"` // Name and description fields
+	OrganizationRef primitive.ObjectID              `bson:"organizationRef" json:"organizationRef"` // Organization associated with the role
+}
+
+// Collection specifies the MongoDB collection for RoleDescription.
+func (*RoleDescription) Collection() string {
+	return mservice.Roles
+}
+
+// Role represents a role assignment for an account within an organization.
+type Role struct {
+	AccountRef      primitive.ObjectID `bson:"accountRef" json:"accountRef"`           // Account assigned to the role
+	DescriptionRef  primitive.ObjectID `bson:"descriptionRef" json:"descriptionRef"`   // Reference to the role's description
+	OrganizationRef primitive.ObjectID `bson:"organizationRef" json:"organizationRef"` // Organization where the role is applicable
+}
+
+// ActionEffect represents a combination of an action and its effect (allow/deny).
+type ActionEffect struct {
+	Action Action `bson:"action" json:"action"` // The action to perform (e.g., read, write)
+	Effect Effect `bson:"effect" json:"effect"` // Whether the action is allowed or denied
+}
+
+// Policy defines access control rules for a role within an organization.
+type Policy struct {
+	OrganizationRef primitive.ObjectID  `bson:"organizationRef" json:"organizationRef"`         // Organization associated with the policy
+	DescriptionRef  primitive.ObjectID  `bson:"descriptionRef" json:"descriptionRef"`           // Reference to the policy's metadata
+	ObjectRef       *primitive.ObjectID `bson:"objectRef,omitempty" json:"objectRef,omitempty"` // Target object (NilObjectID for all objects)
+	Effect          ActionEffect        `bson:"effect" json:"effect"`                           // Action and effect for the policy
+}
+
+// RolePolicy defines access control rules for a role within an organization.
+type RolePolicy struct {
+	Policy             `bson:",inline" json:",inline"`
+	RoleDescriptionRef primitive.ObjectID `bson:"roleDescriptionRef" json:"roleDescriptionRef"` // Reference to the associated role
+}
+
+// PolicyDescription provides metadata for policies.
+type PolicyDescription struct {
+	storable.Base   `bson:",inline" json:",inline"` // Base fields for MongoDB documents
+	Describable     `bson:",inline" json:",inline"` // Name and description fields
+	ResourceTypes   *[]mservice.Type                `bson:"resourceTypes,omitempty" json:"resourceTypes,omitempty"`     // nil for custom policies, non-nil for built-in permissisons
+	OrganizationRef *primitive.ObjectID             `bson:"organizationRef,omitempty" json:"organizationRef,omitempty"` // nil for built-in policies, non-nil for custom
+}
+
+// Collection specifies the MongoDB collection for PolicyDescription.
+func (*PolicyDescription) Collection() string {
+	return mservice.Policies
+}
+
+// Permission ties a policy to a specific account.
+type Permission struct {
+	RolePolicy `bson:",inline" json:",inline"` // Embedded policy definition
+	AccountRef primitive.ObjectID              `bson:"accountRef" json:"accountRef"` // Account assigned the permission
+}