Feature: roles & permissions

Author: runabol

datastore/datastore.go

@@ -14,6 +14,7 @@ var (
 	ErrNodeNotFound    = errors.New("node not found")
 	ErrJobNotFound     = errors.New("job not found")
 	ErrUserNotFound    = errors.New("user not found")
+	ErrRoleNotFound    = errors.New("role not found")
 	ErrContextNotFound = errors.New("context not found")
 )
 
@@ -39,11 +40,18 @@ type Datastore interface {
 	UpdateJob(ctx context.Context, id string, modify func(u *tork.Job) error) error
 	GetJobByID(ctx context.Context, id string) (*tork.Job, error)
 	GetJobLogParts(ctx context.Context, jobID string, page, size int) (*Page[*tork.TaskLogPart], error)
-	GetJobs(ctx context.Context, q string, page, size int) (*Page[*tork.JobSummary], error)
+	GetJobs(ctx context.Context, currentUser, q string, page, size int) (*Page[*tork.JobSummary], error)
 
 	CreateUser(ctx context.Context, u *tork.User) error
 	GetUser(ctx context.Context, username string) (*tork.User, error)
 
+	CreateRole(ctx context.Context, r *tork.Role) error
+	GetRole(ctx context.Context, id string) (*tork.Role, error)
+	GetRoles(ctx context.Context) ([]*tork.Role, error)
+	GetUserRoles(ctx context.Context, userID string) ([]*tork.Role, error)
+	AssignRole(ctx context.Context, userID, roleID string) error
+	UnassignRole(ctx context.Context, userID, roleID string) error
+
 	GetMetrics(ctx context.Context) (*tork.Metrics, error)
 
 	WithTx(ctx context.Context, f func(tx Datastore) error) error

datastore/inmemory/inmemory.go

@@ -14,6 +14,7 @@ import (
 	"github.com/runabol/tork/datastore"
 	"github.com/runabol/tork/internal/cache"
 	"github.com/runabol/tork/internal/slices"
+	"github.com/runabol/tork/internal/uuid"
 )
 
 const (
@@ -35,6 +36,8 @@ type InMemoryDatastore struct {
 	jobs            *cache.Cache[*tork.Job]
 	usersByID       *cache.Cache[*tork.User]
 	usersByUsername *cache.Cache[*tork.User]
+	roles           *cache.Cache[*tork.Role]
+	userRoles       *cache.Cache[[]*tork.UserRole]
 	logs            *cache.Cache[[]*tork.TaskLogPart]
 	logsMu          sync.RWMutex
 	nodeExpiration  *time.Duration
@@ -80,6 +83,8 @@ func NewInMemoryDatastore(opts ...Option) *InMemoryDatastore {
 	ds.logs = cache.New[[]*tork.TaskLogPart](cache.NoExpiration, ci)
 	ds.usersByID = cache.New[*tork.User](cache.NoExpiration, ci)
 	ds.usersByUsername = cache.New[*tork.User](cache.NoExpiration, ci)
+	ds.roles = cache.New[*tork.Role](cache.NoExpiration, ci)
+	ds.userRoles = cache.New[[]*tork.UserRole](cache.NoExpiration, ci)
 	ds.jobs.OnEvicted(ds.onJobEviction)
 	return ds
 }
@@ -255,7 +260,7 @@ func (ds *InMemoryDatastore) GetActiveTasks(ctx context.Context, jobID string) (
 	return result, nil
 }
 
-func (ds *InMemoryDatastore) GetJobs(ctx context.Context, q string, page, size int) (*datastore.Page[*tork.JobSummary], error) {
+func (ds *InMemoryDatastore) GetJobs(ctx context.Context, currentUser, q string, page, size int) (*datastore.Page[*tork.JobSummary], error) {
 	parseQuery := func(query string) (string, []string) {
 		terms := []string{}
 		tags := []string{}
@@ -272,10 +277,46 @@ func (ds *InMemoryDatastore) GetJobs(ctx context.Context, q string, page, size i
 		return strings.Join(terms, " "), tags
 	}
 
+	var urs []*tork.Role
+	var user *tork.User
+	if currentUser != "" {
+		u, err := ds.GetUser(ctx, currentUser)
+		if err != nil {
+			return nil, err
+		}
+		user = u
+		ur, err := ds.GetUserRoles(ctx, u.ID)
+		if err != nil {
+			return nil, err
+		}
+		urs = ur
+	}
+
 	searchTerm, tags := parseQuery(q)
 	offset := (page - 1) * size
 	filtered := make([]*tork.Job, 0)
+	hasPermission := func(user *tork.User, uroles []*tork.Role, job *tork.Job) bool {
+		if len(job.Permissions) == 0 {
+			return true
+		}
+		for _, p := range job.Permissions {
+			if p.User != nil && p.User.Username == user.Username {
+				return true
+			}
+			if p.Role != nil {
+				for _, ur := range uroles {
+					if p.Role.Slug == ur.Slug {
+						return true
+					}
+				}
+			}
+		}
+		return false
+	}
 	ds.jobs.Iterate(func(_ string, j *tork.Job) {
+		if currentUser != "" && !hasPermission(user, urs, j) {
+			return
+		}
 		if searchTerm != "" {
 			if strings.Contains(strings.ToLower(j.Name), strings.ToLower(searchTerm)) ||
 				strings.Contains(strings.ToLower(string(j.State)), strings.ToLower(searchTerm)) {
@@ -458,6 +499,19 @@ func (ds *InMemoryDatastore) GetUser(ctx context.Context, uid string) (*tork.Use
 	return nil, datastore.ErrUserNotFound
 }
 
+func (ds *InMemoryDatastore) GetRole(ctx context.Context, id string) (*tork.Role, error) {
+	var r *tork.Role
+	ds.roles.Iterate(func(key string, v *tork.Role) {
+		if key == id || v.Slug == id {
+			r = v
+		}
+	})
+	if r == nil {
+		return nil, datastore.ErrRoleNotFound
+	}
+	return r, nil
+}
+
 func (ds *InMemoryDatastore) CreateUser(ctx context.Context, u *tork.User) error {
 	if _, ok := ds.usersByID.Get(u.ID); ok {
 		return errors.New("user already exists")
@@ -470,6 +524,73 @@ func (ds *InMemoryDatastore) CreateUser(ctx context.Context, u *tork.User) error
 	return nil
 }
 
+func (ds *InMemoryDatastore) CreateRole(ctx context.Context, r *tork.Role) error {
+	r.ID = uuid.NewUUID()
+	now := time.Now().UTC()
+	r.CreatedAt = &now
+	ds.roles.Set(r.ID, r)
+	return nil
+}
+
+func (ds *InMemoryDatastore) GetRoles(ctx context.Context) ([]*tork.Role, error) {
+	roles := make([]*tork.Role, 0)
+	ds.roles.Iterate(func(_ string, v *tork.Role) {
+		roles = append(roles, v)
+	})
+	sort.Slice(roles, func(i, j int) bool {
+		return roles[i].Name < roles[j].Name
+	})
+	return roles, nil
+}
+
+func (ds *InMemoryDatastore) AssignRole(ctx context.Context, userID, roleID string) error {
+	now := time.Now().UTC()
+	ur := &tork.UserRole{
+		ID:        uuid.NewUUID(),
+		UserID:    userID,
+		RoleID:    roleID,
+		CreatedAt: &now,
+	}
+	urs, ok := ds.userRoles.Get(userID)
+	if !ok {
+		urs = make([]*tork.UserRole, 0)
+	}
+	urs = append(urs, ur)
+	ds.userRoles.Set(userID, urs)
+	return nil
+}
+
+func (ds *InMemoryDatastore) UnassignRole(ctx context.Context, userID, roleID string) error {
+	urs, ok := ds.userRoles.Get(userID)
+	if !ok {
+		return nil
+	}
+	nurs := make([]*tork.UserRole, 0)
+	for _, v := range urs {
+		if v.UserID != userID || v.RoleID != roleID {
+			nurs = append(nurs, v)
+		}
+	}
+	ds.userRoles.Set(userID, nurs)
+	return nil
+}
+
+func (ds *InMemoryDatastore) GetUserRoles(ctx context.Context, userID string) ([]*tork.Role, error) {
+	uroles, ok := ds.userRoles.Get(userID)
+	if !ok {
+		return make([]*tork.Role, 0), nil
+	}
+	result := make([]*tork.Role, len(uroles))
+	for i, ur := range uroles {
+		r, ok := ds.roles.Get(ur.RoleID)
+		if !ok {
+			return nil, datastore.ErrRoleNotFound
+		}
+		result[i] = r
+	}
+	return result, nil
+}
+
 func (ds *InMemoryDatastore) WithTx(ctx context.Context, f func(tx datastore.Datastore) error) error {
 	return f(ds)
 }

datastore/inmemory/inmemory_test.go

@@ -512,16 +512,77 @@ func TestInMemoryGetJobLogParts(t *testing.T) {
 func TestInMemorySearchJobs(t *testing.T) {
 	ctx := context.Background()
 	ds := inmemory.NewInMemoryDatastore()
-	for i := 0; i < 101; i++ {
+
+	u1 := &tork.User{
+		ID:       uuid.NewUUID(),
+		Username: uuid.NewShortUUID(),
+		Name:     "Tester",
+	}
+	err := ds.CreateUser(ctx, u1)
+	assert.NoError(t, err)
+
+	u2 := &tork.User{
+		ID:       uuid.NewUUID(),
+		Username: uuid.NewShortUUID(),
+		Name:     "Tester",
+	}
+	err = ds.CreateUser(ctx, u2)
+	assert.NoError(t, err)
+
+	r := &tork.Role{
+		Slug: "test-role",
+		Name: "Test Role",
+	}
+	err = ds.CreateRole(ctx, r)
+	assert.NoError(t, err)
+
+	err = ds.AssignRole(ctx, u2.ID, r.ID)
+	assert.NoError(t, err)
+
+	u3 := &tork.User{
+		ID:       uuid.NewUUID(),
+		Username: uuid.NewShortUUID(),
+		Name:     "Tester",
+	}
+	err = ds.CreateUser(ctx, u3)
+	assert.NoError(t, err)
+
+	for i := 0; i < 100; i++ {
+		j1 := tork.Job{
+			ID:    uuid.NewUUID(),
+			Name:  fmt.Sprintf("Job %d", (i + 1)),
+			State: tork.JobStateRunning,
+			Tasks: []*tork.Task{{
+				Name: "some task",
+			}},
+			Tags: []string{fmt.Sprintf("tag-%d", i)},
+			Permissions: []*tork.Permission{{
+				User: u1,
+			}, {
+				Role: r,
+			}},
+		}
+		err := ds.CreateJob(ctx, &j1)
+		assert.NoError(t, err)
+
+		now := time.Now().UTC()
+		err = ds.CreateTask(ctx, &tork.Task{
+			ID:        uuid.NewUUID(),
+			JobID:     j1.ID,
+			State:     tork.TaskStateRunning,
+			CreatedAt: &now,
+		})
+		assert.NoError(t, err)
+	}
+
+	for i := 100; i < 101; i++ {
 		j1 := tork.Job{
 			ID:    uuid.NewUUID(),
 			Name:  fmt.Sprintf("Job %d", (i + 1)),
 			State: tork.JobStateRunning,
-			Tasks: []*tork.Task{
-				{
-					Name: "some task",
-				},
-			},
+			Tasks: []*tork.Task{{
+				Name: "some task",
+			}},
 			Tags: []string{fmt.Sprintf("tag-%d", i)},
 		}
 		err := ds.CreateJob(ctx, &j1)
@@ -537,38 +598,100 @@ func TestInMemorySearchJobs(t *testing.T) {
 		assert.NoError(t, err)
 	}
 
-	p1, err := ds.GetJobs(ctx, "", 1, 10)
+	p1, err := ds.GetJobs(ctx, "", "", 1, 10)
 	assert.NoError(t, err)
 	assert.Equal(t, 10, p1.Size)
 	assert.Equal(t, 101, p1.TotalItems)
 
-	p1, err = ds.GetJobs(ctx, "101", 1, 10)
+	p1, err = ds.GetJobs(ctx, "", "101", 1, 10)
 	assert.NoError(t, err)
 	assert.Equal(t, 1, p1.Size)
 	assert.Equal(t, 1, p1.TotalItems)
 
-	p1, err = ds.GetJobs(ctx, "tag:tag-1", 1, 10)
+	p1, err = ds.GetJobs(ctx, "", "tag:tag-1", 1, 10)
 	assert.NoError(t, err)
 	assert.Equal(t, 1, p1.Size)
 	assert.Equal(t, 1, p1.TotalItems)
 
-	p1, err = ds.GetJobs(ctx, "tag:not-a-tag", 1, 10)
+	p1, err = ds.GetJobs(ctx, "", "tag:not-a-tag", 1, 10)
 	assert.NoError(t, err)
 	assert.Equal(t, 0, p1.Size)
 	assert.Equal(t, 0, p1.TotalItems)
 
-	p1, err = ds.GetJobs(ctx, "tags:not-a-tag,tag-1", 1, 10)
+	p1, err = ds.GetJobs(ctx, "", "tags:not-a-tag,tag-1", 1, 10)
 	assert.NoError(t, err)
 	assert.Equal(t, 1, p1.Size)
 	assert.Equal(t, 1, p1.TotalItems)
 
-	p1, err = ds.GetJobs(ctx, "Job", 1, 10)
+	p1, err = ds.GetJobs(ctx, "", "Job", 1, 10)
+	assert.NoError(t, err)
+	assert.Equal(t, 10, p1.Size)
+	assert.Equal(t, 101, p1.TotalItems)
+
+	p1, err = ds.GetJobs(ctx, "", "running", 1, 10)
 	assert.NoError(t, err)
 	assert.Equal(t, 10, p1.Size)
 	assert.Equal(t, 101, p1.TotalItems)
 
-	p1, err = ds.GetJobs(ctx, "running", 1, 10)
+	p1, err = ds.GetJobs(ctx, u1.Username, "running", 1, 10)
 	assert.NoError(t, err)
 	assert.Equal(t, 10, p1.Size)
 	assert.Equal(t, 101, p1.TotalItems)
+
+	p1, err = ds.GetJobs(ctx, u2.Username, "running", 1, 10)
+	assert.NoError(t, err)
+	assert.Equal(t, 10, p1.Size)
+	assert.Equal(t, 101, p1.TotalItems)
+
+	p1, err = ds.GetJobs(ctx, u3.Username, "running", 1, 10)
+	assert.NoError(t, err)
+	assert.Equal(t, 1, p1.Size)
+	assert.Equal(t, 1, p1.TotalItems)
+}
+
+func TestInMemoryCreateRole(t *testing.T) {
+	ctx := context.Background()
+	ds := inmemory.NewInMemoryDatastore()
+	now := time.Now().UTC()
+	r := &tork.Role{
+		ID:        uuid.NewUUID(),
+		Slug:      "test-role",
+		Name:      "Test Role",
+		CreatedAt: &now,
+	}
+	err := ds.CreateRole(ctx, r)
+	assert.NoError(t, err)
+
+	role, err := ds.GetRole(ctx, r.Slug)
+	assert.NoError(t, err)
+	assert.Equal(t, r.Slug, role.Slug)
+
+	roles, err := ds.GetRoles(ctx)
+	assert.NoError(t, err)
+	assert.Len(t, roles, 1)
+	assert.Equal(t, "Test Role", roles[0].Name)
+
+	u := &tork.User{
+		ID:        uuid.NewUUID(),
+		Username:  uuid.NewShortUUID(),
+		Name:      "Tester",
+		CreatedAt: &now,
+	}
+	err = ds.CreateUser(ctx, u)
+	assert.NoError(t, err)
+
+	err = ds.AssignRole(ctx, u.ID, r.ID)
+	assert.NoError(t, err)
+
+	uroles, err := ds.GetUserRoles(ctx, u.ID)
+	assert.NoError(t, err)
+	assert.Len(t, uroles, 1)
+	assert.Equal(t, r.ID, uroles[0].ID)
+
+	err = ds.UnassignRole(ctx, u.ID, r.ID)
+	assert.NoError(t, err)
+
+	uroles, err = ds.GetUserRoles(ctx, u.ID)
+	assert.NoError(t, err)
+	assert.Len(t, uroles, 0)
 }