rbac/doc.go

// Package rbac provides permission provider implementations for the Einherjar
// authorization system. All constructors return [security.PermissionProvider]
// from contracts/security — no new types are defined here.
//
// # Permission providers
//
// Three strategies compose into a complete authorization pipeline:
//
//	// Fast-path: reads pre-computed bitmasks from JWT claims in context.
//	// Pass authmw.GetClaims so rbac does not import authmw directly.
//	claims := rbac.NewClaimsPermissionProvider("perms", authmw.GetClaims)
//
//	// DB + cache: wraps any provider with TTL caching. Cache key is
//	// automatically scoped by TenantID for multi-tenant deployments.
//	cached := rbac.NewCachedPermissionProvider(dbProvider, valkeyCache, 5*time.Minute)
//
//	// Chain: tries claims first, falls through to DB on miss.
//	chain := rbac.NewChainPermissionProvider(claims, cached)
//
// # Cache key customization
//
// When additional bag attributes must be part of the cache key (e.g. hardware IDs):
//
//	const KeyHardwareID = "hardware_id"
//
//	cached := rbac.NewCachedPermissionProvider(dbProvider, cache, 5*time.Minute,
//	    rbac.WithCacheKey(func(bag security.SecurityBag, uid, resource string) string {
//	        hwID, _ := bag.Get(KeyHardwareID)
//	        return fmt.Sprintf("rbac:%s:%s:%v:%s", bag.Identity().TenantID, uid, hwID, resource)
//	    }),
//	)
//
// # Cache interface
//
// [Cache] is satisfied by einherjar/cache-valkey via Go duck typing.
// No import of auth/rbac is needed by the cache implementation.
//
// # Multi-tenant
//
// [NewCachedPermissionProvider] automatically includes TenantID in the cache key
// when [security.Identity.TenantID] is non-empty in the request bag.
// Populate TenantID via [authmw.WithTenantHeader] in EnrichmentMiddleware.
package rbac
feat(auth): initial implementation — authmw and rbac (v1.0.0) Introduces code.nochebuena.dev/einherjar/auth — the provider-agnostic HTTP authentication and authorization layer of the Einherjar framework. Absorbs two micro-lib packages (httpauth, rbac) as sub-packages, replacing the Identity-only context model with a SecurityBag-native design and adding a composable enrichment chain. authmw: - BagEnricher function type — enriches the request-scoped SecurityBag after the base Identity is built; registered via WithBagEnricher; multiple enrichers run in order, each receiving the bag from the previous - IdentityEnricher interface — application-layer contract for loading user data from uid+claims - EnrichmentMiddleware — builds SecurityBag from uid+claims, runs enricher chain, stores via security.SetBagInContext; 401 on missing uid, 500 on enricher error; routes all errors through httputil.Error - AuthzMiddleware — per-route permission gate; 401 on missing identity, 403 on provider error (fail-closed) or insufficient permissions - EnrichOpt type + WithTenantHeader (reads TenantID from header, implemented as a BagEnricher) + WithBagEnricher (registers custom enrichers for hardware IDs, grant codes, or any bag attribute) - SetTokenData / GetClaims — integration contract for auth-jwt / auth-firebase rbac: - NewClaimsPermissionProvider — reads flat JWT claim bitmasks from context; wildcard "*" fallback; handles int64/float64/json.Number; zero DB calls - NewCachedPermissionProvider — TTL cache wrapping any PermissionProvider; default key "rbac:{uid}:{resource}" or "rbac:{tenantID}:{uid}:{resource}"; TenantID sourced from SecurityBag automatically; accepts ...CachedOpt - CachedOpt type + WithCacheKey — overrides the key function for extra dimensions (hardware IDs, grant codes read from bag attributes) - NewChainPermissionProvider — tries providers in order; first non-zero wins; errors short-circuit; typical pattern: claims → cached DB fallback - Cache interface — pluggable backend satisfied by cache-valkey via duck typing Compliance test (package auth_test) enforces CT-6 (≤1 exported TypeSpec/file), compile-time interface satisfaction, and behavioural coverage across the full middleware and provider surface: enrichment success/failure, tenant header, custom BagEnricher, bag-in-context, authz allowed/denied/error, claims hit/wildcard/missing/float64, cached hit/miss/error/tenant-key/custom-key, chain first-non-zero/fallthrough/error. Depends on contracts v1.0.0, core v1.0.0, web v1.0.0. - identifiable.go: package-level Module variable (observability.Identifiable) for version identification — auth is middleware-only; not registered with the launcher 2026-05-29 16:11:21 +00:00			`// Package rbac provides permission provider implementations for the Einherjar`
			`// authorization system. All constructors return [security.PermissionProvider]`
			`// from contracts/security — no new types are defined here.`
			`//`
			`// # Permission providers`
			`//`
			`// Three strategies compose into a complete authorization pipeline:`
			`//`
			`// // Fast-path: reads pre-computed bitmasks from JWT claims in context.`
			`// // Pass authmw.GetClaims so rbac does not import authmw directly.`
			`// claims := rbac.NewClaimsPermissionProvider("perms", authmw.GetClaims)`
			`//`
			`// // DB + cache: wraps any provider with TTL caching. Cache key is`
			`// // automatically scoped by TenantID for multi-tenant deployments.`
			`// cached := rbac.NewCachedPermissionProvider(dbProvider, valkeyCache, 5*time.Minute)`
			`//`
			`// // Chain: tries claims first, falls through to DB on miss.`
			`// chain := rbac.NewChainPermissionProvider(claims, cached)`
			`//`
			`// # Cache key customization`
			`//`
			`// When additional bag attributes must be part of the cache key (e.g. hardware IDs):`
			`//`
			`// const KeyHardwareID = "hardware_id"`
			`//`
			`// cached := rbac.NewCachedPermissionProvider(dbProvider, cache, 5*time.Minute,`
			`// rbac.WithCacheKey(func(bag security.SecurityBag, uid, resource string) string {`
			`// hwID, _ := bag.Get(KeyHardwareID)`
			`// return fmt.Sprintf("rbac:%s:%s:%v:%s", bag.Identity().TenantID, uid, hwID, resource)`
			`// }),`
			`// )`
			`//`
			`// # Cache interface`
			`//`
			`// [Cache] is satisfied by einherjar/cache-valkey via Go duck typing.`
			`// No import of auth/rbac is needed by the cache implementation.`
			`//`
			`// # Multi-tenant`
			`//`
			`// [NewCachedPermissionProvider] automatically includes TenantID in the cache key`
			`// when [security.Identity.TenantID] is non-empty in the request bag.`
			`// Populate TenantID via [authmw.WithTenantHeader] in EnrichmentMiddleware.`
			`package rbac`