tony/CHORUS
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8d9b62daf37ad7dc3f5f0a17966e5fe3a4e00361
CHORUS/pkg/slurp/roles/interfaces.go
anthonyrawlins 9bdcbe0447 Integrate BACKBEAT SDK and resolve KACHING license validation 
Major integrations and fixes:
- Added BACKBEAT SDK integration for P2P operation timing
- Implemented beat-aware status tracking for distributed operations
- Added Docker secrets support for secure license management
- Resolved KACHING license validation via HTTPS/TLS
- Updated docker-compose configuration for clean stack deployment
- Disabled rollback policies to prevent deployment failures
- Added license credential storage (CHORUS-DEV-MULTI-001)

Technical improvements:
- BACKBEAT P2P operation tracking with phase management
- Enhanced configuration system with file-based secrets
- Improved error handling for license validation
- Clean separation of KACHING and CHORUS deployment stacks

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-06 07:56:26 +10:00

285 lines
12 KiB
Go
Raw Blame History

package roles
import (
"context"
"time"
"chorus/pkg/security"
"chorus/pkg/ucxl"
slurpContext "chorus/pkg/slurp/context"
)
// RoleManager handles definition and management of roles and permissions
//
// This is the primary interface for creating, updating, and managing roles
// and their associated permissions within the SLURP system.
type RoleManager interface {
// CreateRole creates a new role with specified permissions
CreateRole(ctx context.Context, role *Role) error
// UpdateRole updates an existing role
UpdateRole(ctx context.Context, role *Role) error
// DeleteRole removes a role from the system
DeleteRole(ctx context.Context, roleID string) error
// GetRole retrieves a specific role
GetRole(ctx context.Context, roleID string) (*Role, error)
// ListRoles lists all roles with optional filtering
ListRoles(ctx context.Context, filter *RoleFilter) ([]*Role, error)
// AssignRole assigns a role to a user or entity
AssignRole(ctx context.Context, userID, roleID string) error
// RevokeRole revokes a role from a user or entity
RevokeRole(ctx context.Context, userID, roleID string) error
// GetUserRoles gets all roles assigned to a user
GetUserRoles(ctx context.Context, userID string) ([]*Role, error)
// CreateRoleHierarchy establishes parent-child relationships between roles
CreateRoleHierarchy(ctx context.Context, parentRoleID, childRoleID string) error
// GetRoleHierarchy gets the complete role hierarchy
GetRoleHierarchy(ctx context.Context) (*RoleHierarchy, error)
// ValidateRole validates role definition and permissions
ValidateRole(ctx context.Context, role *Role) (*RoleValidation, error)
// GetRoleStats returns role management statistics
GetRoleStats(ctx context.Context) (*RoleStatistics, error)
}
// AccessController handles access control decision making and enforcement
//
// Provides centralized access control decisions based on roles, permissions,
// and context requirements with support for dynamic evaluation and caching.
type AccessController interface {
// CheckPermission checks if a user has a specific permission
CheckPermission(ctx context.Context, userID string, permission Permission) (bool, error)
// CheckContextAccess checks if a user can access specific context
CheckContextAccess(ctx context.Context, userID string, address ucxl.Address, accessType AccessType) (bool, error)
// CheckAccessLevel checks if a user meets the required access level
CheckAccessLevel(ctx context.Context, userID string, requiredLevel security.AccessLevel) (bool, error)
// BatchCheckPermissions checks multiple permissions efficiently
BatchCheckPermissions(ctx context.Context, userID string, permissions []Permission) (map[Permission]bool, error)
// EvaluateContextPermissions evaluates all relevant permissions for context
EvaluateContextPermissions(ctx context.Context, userID string, node *slurpContext.ContextNode) (*ContextPermissions, error)
// GetUserAccessLevel gets the maximum access level for a user
GetUserAccessLevel(ctx context.Context, userID string) (security.AccessLevel, error)
// CreateAccessToken creates a time-limited access token
CreateAccessToken(ctx context.Context, userID string, permissions []Permission, ttl time.Duration) (*AccessToken, error)
// ValidateAccessToken validates and extracts permissions from access token
ValidateAccessToken(ctx context.Context, token string) (*TokenValidation, error)
// GetAccessDecisionHistory gets history of access decisions for audit
GetAccessDecisionHistory(ctx context.Context, userID string, timeRange time.Duration) ([]*AccessDecision, error)
// GetAccessStats returns access control statistics
GetAccessStats() (*AccessStatistics, error)
}
// ContextFilter handles role-based filtering of context information
//
// Filters context data based on user roles and permissions to ensure
// appropriate information visibility and data protection.
type ContextFilter interface {
// FilterContext filters context based on user role and permissions
FilterContext(ctx context.Context, node *slurpContext.ContextNode, userID string) (*slurpContext.ContextNode, error)
// FilterResolvedContext filters resolved context for role-based access
FilterResolvedContext(ctx context.Context, resolved *slurpContext.ResolvedContext, userID string) (*slurpContext.ResolvedContext, error)
// BatchFilterContexts filters multiple contexts efficiently
BatchFilterContexts(ctx context.Context, nodes []*slurpContext.ContextNode, userID string) ([]*slurpContext.ContextNode, error)
// GetFilteredFields gets list of fields that would be filtered for user
GetFilteredFields(ctx context.Context, node *slurpContext.ContextNode, userID string) ([]string, error)
// ApplySecurityLabels applies security labels to context based on content
ApplySecurityLabels(ctx context.Context, node *slurpContext.ContextNode) (*LabeledContext, error)
// GetRoleSpecificView gets context optimized for specific role perspective
GetRoleSpecificView(ctx context.Context, node *slurpContext.ContextNode, roleID string) (*RoleContextView, error)
// SetFilteringPolicy configures filtering policy and rules
SetFilteringPolicy(policy *FilteringPolicy) error
// GetFilteringStats returns context filtering statistics
GetFilteringStats() (*FilteringStatistics, error)
}
// PermissionEvaluator handles dynamic evaluation of permissions
//
// Provides sophisticated permission evaluation including conditional
// permissions, time-based access, and context-dependent authorization.
type PermissionEvaluator interface {
// EvaluatePermission evaluates a permission with context and conditions
EvaluatePermission(ctx context.Context, userID string, permission Permission, evalContext *EvaluationContext) (*PermissionEvaluation, error)
// EvaluateConditionalPermission evaluates permission with conditions
EvaluateConditionalPermission(ctx context.Context, userID string, permission *ConditionalPermission) (bool, error)
// EvaluateTimeBasedPermission evaluates time-restricted permission
EvaluateTimeBasedPermission(ctx context.Context, userID string, permission Permission, timeWindow *TimeWindow) (bool, error)
// GetEffectivePermissions gets all effective permissions for user in context
GetEffectivePermissions(ctx context.Context, userID string, evalContext *EvaluationContext) ([]Permission, error)
// CreatePermissionRule creates custom permission evaluation rule
CreatePermissionRule(ctx context.Context, rule *PermissionRule) error
// UpdatePermissionRule updates existing permission rule
UpdatePermissionRule(ctx context.Context, rule *PermissionRule) error
// DeletePermissionRule removes permission rule
DeletePermissionRule(ctx context.Context, ruleID string) error
// ListPermissionRules lists all permission rules
ListPermissionRules(ctx context.Context) ([]*PermissionRule, error)
// GetEvaluationStats returns permission evaluation statistics
GetEvaluationStats() (*EvaluationStatistics, error)
}
// AuditLogger handles logging of access control events
//
// Provides comprehensive audit logging for access control decisions,
// permission changes, and security-relevant events for compliance
// and security analysis.
type AuditLogger interface {
// LogAccessDecision logs an access control decision
LogAccessDecision(ctx context.Context, decision *AccessDecision) error
// LogPermissionChange logs changes to permissions or roles
LogPermissionChange(ctx context.Context, change *PermissionChange) error
// LogSecurityEvent logs security-relevant events
LogSecurityEvent(ctx context.Context, event *SecurityEvent) error
// GetAuditLog retrieves audit log entries with filtering
GetAuditLog(ctx context.Context, filter *AuditFilter) ([]*AuditEntry, error)
// ExportAuditLog exports audit log in specified format
ExportAuditLog(ctx context.Context, format string, filter *AuditFilter) ([]byte, error)
// GetAuditStats returns audit logging statistics
GetAuditStats(ctx context.Context) (*AuditStatistics, error)
// SetRetentionPolicy sets audit log retention policy
SetRetentionPolicy(policy *RetentionPolicy) error
// ArchiveOldLogs archives old audit logs
ArchiveOldLogs(ctx context.Context, olderThan time.Time) (*ArchiveResult, error)
}
// EncryptionManager handles role-based encryption and key management
//
// Manages encryption keys and operations for role-based access control,
// integrating with the CHORUS crypto system for secure context storage
// and distribution.
type EncryptionManager interface {
// EncryptForRoles encrypts context data for specific roles
EncryptForRoles(ctx context.Context, data []byte, roles []string) (*EncryptedData, error)
// DecryptForUser decrypts data based on user's roles and permissions
DecryptForUser(ctx context.Context, encryptedData *EncryptedData, userID string) ([]byte, error)
// GenerateRoleKey generates encryption key for a role
GenerateRoleKey(ctx context.Context, roleID string) (*RoleKey, error)
// RotateRoleKeys rotates encryption keys for roles
RotateRoleKeys(ctx context.Context, roles []string) (*KeyRotationResult, error)
// GetRoleKey retrieves encryption key for a role
GetRoleKey(ctx context.Context, roleID string) (*RoleKey, error)
// RevokeRoleKey revokes encryption key for a role
RevokeRoleKey(ctx context.Context, roleID string) error
// ValidateEncryptedData validates integrity of encrypted data
ValidateEncryptedData(ctx context.Context, encryptedData *EncryptedData) (bool, error)
// GetEncryptionStats returns encryption operation statistics
GetEncryptionStats() (*EncryptionStatistics, error)
}
// PolicyManager handles role-based policy definition and enforcement
type PolicyManager interface {
// CreatePolicy creates a new access control policy
CreatePolicy(ctx context.Context, policy *AccessPolicy) error
// UpdatePolicy updates existing access control policy
UpdatePolicy(ctx context.Context, policy *AccessPolicy) error
// DeletePolicy removes an access control policy
DeletePolicy(ctx context.Context, policyID string) error
// GetPolicy retrieves a specific policy
GetPolicy(ctx context.Context, policyID string) (*AccessPolicy, error)
// ListPolicies lists all policies with optional filtering
ListPolicies(ctx context.Context, filter *PolicyFilter) ([]*AccessPolicy, error)
// EvaluatePolicy evaluates policy against access request
EvaluatePolicy(ctx context.Context, policyID string, request *AccessRequest) (*PolicyEvaluation, error)
// GetApplicablePolicies gets policies applicable to user and resource
GetApplicablePolicies(ctx context.Context, userID string, resource string) ([]*AccessPolicy, error)
// ValidatePolicy validates policy definition and rules
ValidatePolicy(ctx context.Context, policy *AccessPolicy) (*PolicyValidation, error)
}
// SessionManager handles user session management and context
type SessionManager interface {
// CreateSession creates new user session with role context
CreateSession(ctx context.Context, userID string, roles []string) (*UserSession, error)
// GetSession retrieves existing user session
GetSession(ctx context.Context, sessionID string) (*UserSession, error)
// UpdateSession updates session with new permissions or context
UpdateSession(ctx context.Context, sessionID string, updates *SessionUpdate) error
// RevokeSession revokes user session
RevokeSession(ctx context.Context, sessionID string) error
// ListActiveSessions lists all active sessions
ListActiveSessions(ctx context.Context) ([]*UserSession, error)
// CleanupExpiredSessions removes expired sessions
CleanupExpiredSessions(ctx context.Context) (*CleanupResult, error)
// GetSessionStats returns session management statistics
GetSessionStats() (*SessionStatistics, error)
}
// DelegationManager handles permission delegation and temporary access
type DelegationManager interface {
// DelegatePermission delegates permission from one user to another
DelegatePermission(ctx context.Context, fromUserID, toUserID string, permission Permission, duration time.Duration) (*Delegation, error)
// RevokeDelegation revokes previously granted delegation
RevokeDelegation(ctx context.Context, delegationID string) error
// GetUserDelegations gets all delegations for a user
GetUserDelegations(ctx context.Context, userID string) ([]*Delegation, error)
// GetActiveDelegations gets all active delegations in system
GetActiveDelegations(ctx context.Context) ([]*Delegation, error)
// ValidateDelegation validates delegation request
ValidateDelegation(ctx context.Context, delegation *Delegation) (*DelegationValidation, error)
// GetDelegationStats returns delegation statistics
GetDelegationStats() (*DelegationStatistics, error)
}
Reference in New Issue View Git Blame Copy Permalink