basicly implement acl crud ops with roles and resources

internal/acl/errors.go

@@ -0,0 +1,21 @@
+package acl
+
+// TODO: add more specific errors
+
+import "fmt"
+
+var (
+	ErrNotInitialized = fmt.Errorf("acl service is not initialized")
+
+	ErrRoleNotFound      = fmt.Errorf("role not found")
+	ErrRoleAlreadyExists = fmt.Errorf("role already exists")
+	ErrInvalidRoleName   = fmt.Errorf("role name is invalid")
+	ErrSameRoleName      = fmt.Errorf("role name is the same as another role")
+	ErrRoleInUse         = fmt.Errorf("role is in use")
+
+	ErrResourceNotFound      = fmt.Errorf("resource not found")
+	ErrResourceAlreadyExists = fmt.Errorf("resource already exists")
+	ErrInvalidResourceKey    = fmt.Errorf("invalid resource key")
+	ErrResourceInUse         = fmt.Errorf("resource is in use")
+	ErrSameResourceKey       = fmt.Errorf("resource key is the same as another resource")
+)

internal/acl/models.go

@@ -1,8 +1,8 @@
 package acl
 
 type UserRole struct {
-	UserID uint `gorm:"primaryKey" json:"userId"`
-	RoleID uint `gorm:"primaryKey" json:"roleId"`
+	UserID uint `gorm:"index;not null;uniqueIndex:ux_user_role"`
+	RoleID uint `gorm:"index;not null;uniqueIndex:ux_user_role"`
 
 	Role Role `gorm:"constraint:OnDelete:CASCADE;foreignKey:RoleID;references:ID" json:"role"`
 	//User user.User `gorm:"constraint:OnDelete:CASCADE;foreignKey:UserID;references:ID"`

internal/acl/resources.go

@@ -0,0 +1,140 @@
+package acl
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"gorm.io/gorm"
+)
+
+// GetResources returns all resources.
+// May return [ErrNotInitialized] or db error.
+func (s *Service) GetResources() ([]Resource, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+
+	var resources []Resource
+	if err := s.db.Order("id").Find(&resources).Error; err != nil {
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return resources, nil
+}
+
+// CreateResource creates a new resource with the given key or returns existing one.
+// Returns ID of created resource.
+// May return [ErrNotInitialized], [ErrInvalidResourceKey], [ErrResourceAlreadyExists] or db error.
+func (s *Service) CreateResource(key string) (uint, error) {
+	if !s.isInitialized() {
+		return 0, ErrNotInitialized
+	}
+
+	key = strings.TrimSpace(key)
+	if key == "" {
+		return 0, ErrInvalidResourceKey
+	}
+
+	var res Resource
+	if err := s.db.Where("key = ?", key).First(&res).Error; err == nil {
+		// already exists
+		return res.ID, ErrResourceAlreadyExists
+	} else if !errors.Is(err, gorm.ErrRecordNotFound) {
+		// other db error
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	res = Resource{Key: key}
+	if err := s.db.Create(&res).Error; err != nil {
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	return res.ID, nil
+}
+
+// GetResourceByID returns the resource with the given ID.
+// May return [ErrNotInitialized], [ErrResourceNotFound] or db error.
+func (s *Service) GetResourceByID(resourceID uint) (*Resource, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+
+	var res Resource
+	if err := s.db.First(&res, resourceID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, ErrResourceNotFound
+		}
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return &res, nil
+}
+
+// UpdateResource updates the key of a resource.
+// May return [ErrNotInitialized], [ErrInvalidResourceKey], [ErrResourceNotFound], [ErrSameResourceKey] or db error.
+func (s *Service) UpdateResource(resourceID uint, newKey string) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	newKey = strings.TrimSpace(newKey)
+	if newKey == "" {
+		return ErrInvalidResourceKey
+	}
+
+	var res Resource
+	if err := s.db.First(&res, resourceID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrResourceNotFound
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	// same key?
+	if res.Key == newKey {
+		return ErrSameResourceKey
+	}
+
+	// check if key used by another resource
+	var count int64
+	if err := s.db.Model(&Resource{}).
+		Where("key = ? AND id != ?", newKey, resourceID).
+		Count(&count).Error; err != nil {
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	if count > 0 {
+		return ErrSameResourceKey
+	}
+
+	res.Key = newKey
+	if err := s.db.Save(&res).Error; err != nil {
+		return fmt.Errorf("failed to update resource: %w", err)
+	}
+
+	return nil
+}
+
+// DeleteResource deletes a resource.
+// May return [ErrNotInitialized], [ErrResourceNotFound], [ErrResourceInUse] or db error.
+func (s *Service) DeleteResource(resourceID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	result := s.db.Delete(&Resource{}, resourceID)
+
+	if err := result.Error; err != nil {
+		if strings.Contains(err.Error(), "FOREIGN KEY constraint failed") {
+			return ErrResourceInUse
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	if result.RowsAffected == 0 {
+		return ErrResourceNotFound
+	}
+
+	return nil
+}

internal/acl/roles.go

@@ -0,0 +1,136 @@
+package acl
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"gorm.io/gorm"
+)
+
+// GetRoles returns all roles.
+// May return [ErrNotInitialized] or db error.
+func (s *Service) GetRoles() ([]Role, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+
+	var roles []Role
+	if err := s.db.Preload("Resources").Order("id").Find(&roles).Error; err != nil {
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return roles, nil
+}
+
+// CreateRole creates a new role with the given name or returns existing one.
+// Returns the ID of the created role.
+// May return [ErrNotInitialized], [ErrInvalidRoleName], [ErrRoleAlreadyExists] or db error.
+func (s *Service) CreateRole(name string) (uint, error) {
+	if !s.isInitialized() {
+		return 0, ErrNotInitialized
+	}
+
+	name = strings.TrimSpace(name)
+	if name == "" {
+		return 0, ErrInvalidRoleName
+	}
+
+	var role Role
+	if err := s.db.Where("name = ?", name).First(&role).Error; err == nil {
+		// already exists
+		return role.ID, ErrRoleAlreadyExists
+	} else if !errors.Is(err, gorm.ErrRecordNotFound) {
+		// other database error
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	role = Role{Name: name}
+	if err := s.db.Create(&role).Error; err != nil {
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	return role.ID, nil
+}
+
+// GetRoleByID returns the role with the given ID or an error.
+// May return [ErrNotInitialized], [ErrRoleNotFound] or db error.
+func (s *Service) GetRoleByID(roleID uint) (*Role, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+	var role Role
+	err := s.db.Preload("Resources").First(&role, roleID).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, ErrRoleNotFound
+		}
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return &role, nil
+}
+
+// UpdateRole updates the name of a role.
+// May return [ErrNotInitialized], [ErrInvalidRoleName], [ErrRoleNotFound], [ErrSameRoleName], or db error.
+func (s *Service) UpdateRole(roleID uint, newName string) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	newName = strings.TrimSpace(newName)
+	if newName == "" {
+		return ErrInvalidRoleName
+	}
+
+	var role Role
+	err := s.db.First(&role, roleID).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	// check for name conflicts
+	if role.Name == newName {
+		return ErrSameRoleName
+	}
+	var count int64
+	err = s.db.Model(&Role{}).Where("name = ? AND id != ?", newName, roleID).Count(&count).Error
+	if err != nil {
+		return fmt.Errorf("db error: %w", err)
+	}
+	if count > 0 {
+		return ErrSameRoleName
+	}
+
+	role.Name = newName
+	if err := s.db.Save(&role).Error; err != nil {
+		return fmt.Errorf("failed to update role: %w", err)
+	}
+
+	return nil
+}
+
+// DeleteRole deletes a role.
+// May return [ErrNotInitialized], [ErrRoleNotFound], [ErrRoleInUse] or db error.
+func (s *Service) DeleteRole(roleID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	result := s.db.Delete(&Role{}, roleID)
+	if err := result.Error; err != nil {
+		if strings.Contains(err.Error(), "FOREIGN KEY constraint failed") {
+			return ErrRoleInUse
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	if result.RowsAffected == 0 {
+		return ErrRoleNotFound
+	}
+
+	return nil
+}

internal/acl/service.go

@@ -1,6 +1,7 @@
 package acl
 
 import (
+	"errors"
 	"fmt"
 
 	"gorm.io/gorm"
@@ -40,30 +41,14 @@ func (s *Service) Init() error {
 	return nil
 }
 
-// Admin crud functions
+// Admin crud functions //
 
-// CreateRole creates a new role with the given name
-func (s *Service) CreateRole(name string) error {
-	if !s.isInitialized() {
-		return fmt.Errorf("acl service is not initialized")
-	}
-	role := Role{Name: name}
-	return s.db.FirstOrCreate(&role, &Role{Name: name}).Error
-}
-
-// CreateResource creates a new resource with the given key
-func (s *Service) CreateResource(key string) error {
-	if !s.isInitialized() {
-		return fmt.Errorf("acl service is not initialized")
-	}
-	res := Resource{Key: key}
-	return s.db.FirstOrCreate(&res, &Resource{Key: key}).Error
-}
+// Resources
 
 // AssignResourceToRole assigns a resource to a role
 func (s *Service) AssignResourceToRole(roleID, resourceID uint) error {
 	if !s.isInitialized() {
-		return fmt.Errorf("acl service is not initialized")
+		return ErrNotInitialized
 	}
 	rr := RoleResource{
 		RoleID:     roleID,
@@ -75,19 +60,25 @@ func (s *Service) AssignResourceToRole(roleID, resourceID uint) error {
 // AssignRoleToUser assigns a role to a user
 func (s *Service) AssignRoleToUser(roleID, userID uint) error {
 	if !s.isInitialized() {
-		return fmt.Errorf("acl service is not initialized")
+		return ErrNotInitialized
 	}
 	ur := UserRole{
 		UserID: userID,
 		RoleID: roleID,
 	}
-	return s.db.FirstOrCreate(&ur, UserRole{UserID: userID, RoleID: roleID}).Error
+	if err := s.db.Create(&ur).Error; err != nil {
+		if errors.Is(err, gorm.ErrDuplicatedKey) {
+			return fmt.Errorf("role already assigned to user")
+		}
+		return err
+	}
+	return nil
 }
 
 // RemoveResourceFromRole removes a resource from a role
 func (s *Service) RemoveResourceFromRole(roleID, resourceID uint) error {
 	if !s.isInitialized() {
-		return fmt.Errorf("acl service is not initialized")
+		return ErrNotInitialized
 	}
 	return s.db.Where("role_id = ? AND resource_id = ?", roleID, resourceID).Delete(&RoleResource{}).Error
 }
@@ -95,35 +86,15 @@ func (s *Service) RemoveResourceFromRole(roleID, resourceID uint) error {
 // RemoveRoleFromUser removes a role from a user
 func (s *Service) RemoveRoleFromUser(roleID, userID uint) error {
 	if !s.isInitialized() {
-		return fmt.Errorf("acl service is not initialized")
+		return ErrNotInitialized
 	}
 	return s.db.Where("role_id = ? AND user_id = ?", roleID, userID).Delete(&UserRole{}).Error
 }
 
-// GetRoles returns all roles
-func (s *Service) GetRoles() ([]Role, error) {
-	if !s.isInitialized() {
-		return nil, fmt.Errorf("acl service is not initialized")
-	}
-	var roles []Role
-	err := s.db.Preload("Resources").Order("id").Find(&roles).Error
-	return roles, err
-}
-
-// GetPermissions returns all permissions
-func (s *Service) GetPermissions() ([]Resource, error) {
-	if !s.isInitialized() {
-		return nil, fmt.Errorf("acl service is not initialized")
-	}
-	var resources []Resource
-	err := s.db.Order("id").Find(&resources).Error
-	return resources, err
-}
-
 // GetRoleResources returns all resources for a given role
 func (s *Service) GetRoleResources(roleID uint) ([]Resource, error) {
 	if !s.isInitialized() {
-		return nil, fmt.Errorf("acl service is not initialized")
+		return nil, ErrNotInitialized
 	}
 	var resources []Resource
 	err := s.db.Joins("JOIN role_resources rr ON rr.resource_id = resources.id").
@@ -134,7 +105,7 @@ func (s *Service) GetRoleResources(roleID uint) ([]Resource, error) {
 // GetUserRoles returns all roles for a given user
 func (s *Service) GetUserRoles(userID uint) ([]Role, error) {
 	if !s.isInitialized() {
-		return nil, fmt.Errorf("acl service is not initialized")
+		return nil, ErrNotInitialized
 	}
 	var roles []Role
 	err := s.db.Joins("JOIN user_roles ur ON ur.role_id = roles.id").