egutierrez
c7531e2b4d
Crea el paquete puro pkg/security/ con los tipos base del sistema
centralizado de permisos y la función ResolveACL.
Cambios:
- pkg/acl/config.go: añade FromRoles([]Role) ACL como constructor directo
- pkg/security/groups.go: UserGroup, AgentGroup
- pkg/security/policy.go: Permission, AgentPolicy, SecurityPolicy
- pkg/security/resolver.go: ResolveACL(agentID, SecurityPolicy) → acl.ACL
* soporte wildcard de agente ("*") y de usuario ("*")
* políticas acumulativas: unión de permisos entre grupos
* referencia directa por agentID sin definir grupo
- pkg/security/security_test.go: 7 tests cubriendo todos los casos del issue
El paquete es pure core: cero I/O, cero side effects.
Mergeado con feature flag centralized-security-groups = false (no wired).
27 lines
616 B
Go
27 lines
616 B
Go
package acl
|
|
|
|
// RoleDef is the input shape for building an ACL — matches config.RoleCfg.
|
|
type RoleDef struct {
|
|
Users []string
|
|
Actions []string
|
|
}
|
|
|
|
// FromRoles builds an ACL directly from a slice of Role values.
|
|
func FromRoles(roles []Role) ACL {
|
|
return ACL{roles: roles}
|
|
}
|
|
|
|
// FromMap builds an ACL from a map of role name → RoleDef.
|
|
// This is the primary constructor used from the runtime.
|
|
func FromMap(roles map[string]RoleDef) ACL {
|
|
var rs []Role
|
|
for name, def := range roles {
|
|
rs = append(rs, Role{
|
|
Name: name,
|
|
Users: def.Users,
|
|
Actions: def.Actions,
|
|
})
|
|
}
|
|
return ACL{roles: rs}
|
|
}
|