internal/repository/permission_provider.go

package repository

import (
	"context"
	"database/sql"
	"errors"

	"code.nochebuena.dev/go/rbac"
	"code.nochebuena.dev/go/sqlite"
)

// DBPermissionProvider implements rbac.PermissionProvider by reading the
// user_role table. A missing row is treated as "no permissions" (mask = 0).
type DBPermissionProvider struct {
	db sqlite.Client
}

// NewPermissionProvider returns a DBPermissionProvider backed by the given client.
func NewPermissionProvider(db sqlite.Client) *DBPermissionProvider {
	return &DBPermissionProvider{db: db}
}

// ResolveMask returns the permission bit-mask for uid on resource.
// Returns 0 (no permissions) if no row exists for the user/resource pair.
func (p *DBPermissionProvider) ResolveMask(ctx context.Context, uid, resource string) (rbac.PermissionMask, error) {
	row := p.db.GetExecutor(ctx).QueryRowContext(ctx,
		`SELECT permissions FROM user_role WHERE user_id = ? AND resource = ?`,
		uid, resource,
	)
	var bits int64
	if err := row.Scan(&bits); err != nil {
		if errors.Is(err, sql.ErrNoRows) {
			return 0, nil
		}
		return 0, err
	}
	return rbac.PermissionMask(bits), nil
}
feat(todo-api): add full-stack POC demonstrating micro-lib v0.9.0 Runnable REST API exercising every micro-lib tier in a containerless setup: N-layer architecture, SQLite persistence, header-based auth simulating Firebase output, and bit-mask RBAC enforcement. What's included: - cmd/todo-api: minimal main delegating to application.Run - internal/application: full object graph wiring — launcher, sqlite, httpserver, httpmw stack, routes in BeforeStart - internal/domain: User entity, ResourceTodos constant, PermReadTodo/PermWriteTodo bit positions - internal/repository: TodoRepository, UserRepository, DBPermissionProvider (SQLite via modernc) - internal/service: TodoService, UserService with interface-based dependencies - internal/handler: TodoHandler, UserHandler using httputil adapters and valid for input validation - internal/middleware: Auth (X-User-ID → rbac.Identity) and Require (bit-mask permission gate) - logAdapter: bridges logz.Logger.With return type to httpmw.Logger interface - SQLite schema: users, user_role (bitmask), todos; migrations run in BeforeStart - Routes: POST /users (open), GET+POST /todos (RBAC), GET /users (RBAC) Tested-via: todo-api POC integration Reviewed-against: docs/adr/ 2026-03-19 13:55:08 +00:00			`package repository`

			`import (`
			`"context"`
			`"database/sql"`
			`"errors"`

			`"code.nochebuena.dev/go/rbac"`
			`"code.nochebuena.dev/go/sqlite"`
			`)`

			`// DBPermissionProvider implements rbac.PermissionProvider by reading the`
			`// user_role table. A missing row is treated as "no permissions" (mask = 0).`
			`type DBPermissionProvider struct {`
			`db sqlite.Client`
			`}`

			`// NewPermissionProvider returns a DBPermissionProvider backed by the given client.`
			`func NewPermissionProvider(db sqlite.Client) *DBPermissionProvider {`
			`return &DBPermissionProvider{db: db}`
			`}`

			`// ResolveMask returns the permission bit-mask for uid on resource.`
			`// Returns 0 (no permissions) if no row exists for the user/resource pair.`
			`func (p *DBPermissionProvider) ResolveMask(ctx context.Context, uid, resource string) (rbac.PermissionMask, error) {`
			`row := p.db.GetExecutor(ctx).QueryRowContext(ctx,`
			`SELECT permissions FROM user_role WHERE user_id = ? AND resource = ?`,
			`uid, resource,`
			`)`
			`var bits int64`
			`if err := row.Scan(&bits); err != nil {`
			`if errors.Is(err, sql.ErrNoRows) {`
			`return 0, nil`
			`}`
			`return 0, err`
			`}`
			`return rbac.PermissionMask(bits), nil`
			`}`