rbac/cached_provider.go

package rbac

import (
	"context"
	"fmt"
	"time"

	"code.nochebuena.dev/einherjar/contracts/security"
)

var _ security.PermissionProvider = (*cachedPermissionProvider)(nil)

type cachedConfig struct {
	keyFn func(security.SecurityBag, string, string) string
}

type cachedPermissionProvider struct {
	inner security.PermissionProvider
	cache Cache
	ttl   time.Duration
	cfg   cachedConfig
}

// NewCachedPermissionProvider wraps any PermissionProvider with a TTL cache.
//
// Default cache key format:
//   - "rbac:{uid}:{resource}"            — single-tenant (no TenantID in bag)
//   - "rbac:{tenantID}:{uid}:{resource}" — multi-tenant (TenantID non-empty)
//
// TenantID is read automatically from the [security.SecurityBag] in context —
// no API change required. Use [WithCacheKey] to override the key function when
// additional bag attributes (hardware IDs, grant codes) must be part of the key.
//
// Cache errors are silently swallowed — falls through to the inner provider.
// Set errors are ignored (cache is best-effort).
func NewCachedPermissionProvider(inner security.PermissionProvider, cache Cache, ttl time.Duration, opts ...CachedOpt) security.PermissionProvider {
	cfg := cachedConfig{}
	for _, o := range opts {
		o(&cfg)
	}
	return &cachedPermissionProvider{inner: inner, cache: cache, ttl: ttl, cfg: cfg}
}

func (p *cachedPermissionProvider) ResolveMask(ctx context.Context, uid, resource string) (security.PermissionMask, error) {
	var key string
	if p.cfg.keyFn != nil {
		bag, _ := security.BagFromContext(ctx)
		key = p.cfg.keyFn(bag, uid, resource)
	} else {
		key = p.defaultKey(ctx, uid, resource)
	}

	if cached, ok, err := p.cache.Get(ctx, key); err == nil && ok {
		return security.PermissionMask(cached), nil
	}

	mask, err := p.inner.ResolveMask(ctx, uid, resource)
	if err != nil {
		return 0, err
	}

	_ = p.cache.Set(ctx, key, int64(mask), p.ttl)
	return mask, nil
}

func (p *cachedPermissionProvider) defaultKey(ctx context.Context, uid, resource string) string {
	bag, ok := security.BagFromContext(ctx)
	if ok && bag.Identity().TenantID != "" {
		return fmt.Sprintf("rbac:%s:%s:%s", bag.Identity().TenantID, uid, resource)
	}
	return fmt.Sprintf("rbac:%s:%s", uid, resource)
}
feat(auth): initial implementation — authmw and rbac (v1.0.0) Introduces code.nochebuena.dev/einherjar/auth — the provider-agnostic HTTP authentication and authorization layer of the Einherjar framework. Absorbs two micro-lib packages (httpauth, rbac) as sub-packages, replacing the Identity-only context model with a SecurityBag-native design and adding a composable enrichment chain. authmw: - BagEnricher function type — enriches the request-scoped SecurityBag after the base Identity is built; registered via WithBagEnricher; multiple enrichers run in order, each receiving the bag from the previous - IdentityEnricher interface — application-layer contract for loading user data from uid+claims - EnrichmentMiddleware — builds SecurityBag from uid+claims, runs enricher chain, stores via security.SetBagInContext; 401 on missing uid, 500 on enricher error; routes all errors through httputil.Error - AuthzMiddleware — per-route permission gate; 401 on missing identity, 403 on provider error (fail-closed) or insufficient permissions - EnrichOpt type + WithTenantHeader (reads TenantID from header, implemented as a BagEnricher) + WithBagEnricher (registers custom enrichers for hardware IDs, grant codes, or any bag attribute) - SetTokenData / GetClaims — integration contract for auth-jwt / auth-firebase rbac: - NewClaimsPermissionProvider — reads flat JWT claim bitmasks from context; wildcard "*" fallback; handles int64/float64/json.Number; zero DB calls - NewCachedPermissionProvider — TTL cache wrapping any PermissionProvider; default key "rbac:{uid}:{resource}" or "rbac:{tenantID}:{uid}:{resource}"; TenantID sourced from SecurityBag automatically; accepts ...CachedOpt - CachedOpt type + WithCacheKey — overrides the key function for extra dimensions (hardware IDs, grant codes read from bag attributes) - NewChainPermissionProvider — tries providers in order; first non-zero wins; errors short-circuit; typical pattern: claims → cached DB fallback - Cache interface — pluggable backend satisfied by cache-valkey via duck typing Compliance test (package auth_test) enforces CT-6 (≤1 exported TypeSpec/file), compile-time interface satisfaction, and behavioural coverage across the full middleware and provider surface: enrichment success/failure, tenant header, custom BagEnricher, bag-in-context, authz allowed/denied/error, claims hit/wildcard/missing/float64, cached hit/miss/error/tenant-key/custom-key, chain first-non-zero/fallthrough/error. Depends on contracts v1.0.0, core v1.0.0, web v1.0.0. - identifiable.go: package-level Module variable (observability.Identifiable) for version identification — auth is middleware-only; not registered with the launcher 2026-05-29 16:11:21 +00:00			`package rbac`

			`import (`
			`"context"`
			`"fmt"`
			`"time"`

			`"code.nochebuena.dev/einherjar/contracts/security"`
			`)`

			`var _ security.PermissionProvider = (*cachedPermissionProvider)(nil)`

			`type cachedConfig struct {`
			`keyFn func(security.SecurityBag, string, string) string`
			`}`

			`type cachedPermissionProvider struct {`
			`inner security.PermissionProvider`
			`cache Cache`
			`ttl time.Duration`
			`cfg cachedConfig`
			`}`

			`// NewCachedPermissionProvider wraps any PermissionProvider with a TTL cache.`
			`//`
			`// Default cache key format:`
			`// - "rbac:{uid}:{resource}" — single-tenant (no TenantID in bag)`
			`// - "rbac:{tenantID}:{uid}:{resource}" — multi-tenant (TenantID non-empty)`
			`//`
			`// TenantID is read automatically from the [security.SecurityBag] in context —`
			`// no API change required. Use [WithCacheKey] to override the key function when`
			`// additional bag attributes (hardware IDs, grant codes) must be part of the key.`
			`//`
			`// Cache errors are silently swallowed — falls through to the inner provider.`
			`// Set errors are ignored (cache is best-effort).`
			`func NewCachedPermissionProvider(inner security.PermissionProvider, cache Cache, ttl time.Duration, opts ...CachedOpt) security.PermissionProvider {`
			`cfg := cachedConfig{}`
			`for _, o := range opts {`
			`o(&cfg)`
			`}`
			`return &cachedPermissionProvider{inner: inner, cache: cache, ttl: ttl, cfg: cfg}`
			`}`

			`func (p *cachedPermissionProvider) ResolveMask(ctx context.Context, uid, resource string) (security.PermissionMask, error) {`
			`var key string`
			`if p.cfg.keyFn != nil {`
			`bag, _ := security.BagFromContext(ctx)`
			`key = p.cfg.keyFn(bag, uid, resource)`
			`} else {`
			`key = p.defaultKey(ctx, uid, resource)`
			`}`

			`if cached, ok, err := p.cache.Get(ctx, key); err == nil && ok {`
			`return security.PermissionMask(cached), nil`
			`}`

			`mask, err := p.inner.ResolveMask(ctx, uid, resource)`
			`if err != nil {`
			`return 0, err`
			`}`

			`_ = p.cache.Set(ctx, key, int64(mask), p.ttl)`
			`return mask, nil`
			`}`

			`func (p *cachedPermissionProvider) defaultKey(ctx context.Context, uid, resource string) string {`
			`bag, ok := security.BagFromContext(ctx)`
			`if ok && bag.Identity().TenantID != "" {`
			`return fmt.Sprintf("rbac:%s:%s:%s", bag.Identity().TenantID, uid, resource)`
			`}`
			`return fmt.Sprintf("rbac:%s:%s", uid, resource)`
			`}`