authkit/cmd/roles/main.go

// Command roles is the seeding CLI for authkit roles, plus role↔permission
// linking.
//
//	roles create <slug> [--label "..."]
//	roles list
//	roles delete <slug>
//	roles grant <role-slug> <perm-slug>
//	roles revoke <role-slug> <perm-slug>
//	roles permissions <role-slug>
package main

import (
	"context"
	"errors"
	"fmt"
	"os"

	"git.juancwu.dev/juancwu/authkit/cmd/internal/clihelp"
)

func main() {
	if len(os.Args) < 2 {
		usage()
		os.Exit(2)
	}
	sub := os.Args[1]
	args := os.Args[2:]

	switch sub {
	case "create":
		runCreate(args)
	case "list":
		runList(args)
	case "delete", "rm":
		runDelete(args)
	case "grant":
		runGrant(args)
	case "revoke":
		runRevoke(args)
	case "permissions", "perms":
		runPermissions(args)
	case "-h", "--help", "help":
		usage()
	default:
		fmt.Fprintf(os.Stderr, "unknown subcommand %q\n\n", sub)
		usage()
		os.Exit(2)
	}
}

func usage() {
	fmt.Fprintln(os.Stderr, `usage: roles <subcommand> [args]

Subcommands:
  create <slug> [--label "..."]      create a role
  list                               list every role
  delete <slug>                      delete a role
  grant <role-slug> <perm-slug>      grant a permission to a role
  revoke <role-slug> <perm-slug>     revoke a permission from a role
  permissions <role-slug>            list permissions granted to a role

Common flags:
  --dsn  PostgreSQL DSN (defaults to $AUTHKIT_DATABASE_URL)`)
}

func runCreate(args []string) {
	fs, dsn := clihelp.DSNFlag("roles create")
	label := fs.String("label", "", "optional human label")
	_ = fs.Parse(args)
	rest := fs.Args()
	if len(rest) != 1 {
		clihelp.Fail(errors.New("create takes exactly one slug argument"))
	}
	ctx := context.Background()
	a, db, err := clihelp.Dial(ctx, *dsn)
	if err != nil {
		clihelp.Fail(err)
	}
	defer db.Close()
	r, err := a.CreateRole(ctx, rest[0], *label)
	if err != nil {
		clihelp.Fail(err)
	}
	fmt.Printf("created role %s (id=%s, label=%q)\n", r.Slug, r.ID, r.Label)
}

func runList(args []string) {
	fs, dsn := clihelp.DSNFlag("roles list")
	_ = fs.Parse(args)
	ctx := context.Background()
	a, db, err := clihelp.Dial(ctx, *dsn)
	if err != nil {
		clihelp.Fail(err)
	}
	defer db.Close()
	roles, err := a.ListRoles(ctx)
	if err != nil {
		clihelp.Fail(err)
	}
	for _, r := range roles {
		fmt.Printf("%s\t%s\n", r.Slug, r.Label)
	}
}

func runDelete(args []string) {
	fs, dsn := clihelp.DSNFlag("roles delete")
	_ = fs.Parse(args)
	rest := fs.Args()
	if len(rest) != 1 {
		clihelp.Fail(errors.New("delete takes exactly one slug argument"))
	}
	ctx := context.Background()
	a, db, err := clihelp.Dial(ctx, *dsn)
	if err != nil {
		clihelp.Fail(err)
	}
	defer db.Close()
	if err := a.DeleteRole(ctx, rest[0]); err != nil {
		clihelp.Fail(err)
	}
	fmt.Printf("deleted role %s\n", rest[0])
}

func runGrant(args []string) {
	fs, dsn := clihelp.DSNFlag("roles grant")
	_ = fs.Parse(args)
	rest := fs.Args()
	if len(rest) != 2 {
		clihelp.Fail(errors.New("grant takes <role-slug> <perm-slug>"))
	}
	ctx := context.Background()
	a, db, err := clihelp.Dial(ctx, *dsn)
	if err != nil {
		clihelp.Fail(err)
	}
	defer db.Close()
	if err := a.GrantPermissionToRole(ctx, rest[0], rest[1]); err != nil {
		clihelp.Fail(err)
	}
	fmt.Printf("granted %s to role %s\n", rest[1], rest[0])
}

func runRevoke(args []string) {
	fs, dsn := clihelp.DSNFlag("roles revoke")
	_ = fs.Parse(args)
	rest := fs.Args()
	if len(rest) != 2 {
		clihelp.Fail(errors.New("revoke takes <role-slug> <perm-slug>"))
	}
	ctx := context.Background()
	a, db, err := clihelp.Dial(ctx, *dsn)
	if err != nil {
		clihelp.Fail(err)
	}
	defer db.Close()
	if err := a.RevokePermissionFromRole(ctx, rest[0], rest[1]); err != nil {
		clihelp.Fail(err)
	}
	fmt.Printf("revoked %s from role %s\n", rest[1], rest[0])
}

func runPermissions(args []string) {
	fs, dsn := clihelp.DSNFlag("roles permissions")
	_ = fs.Parse(args)
	rest := fs.Args()
	if len(rest) != 1 {
		clihelp.Fail(errors.New("permissions takes exactly one role-slug argument"))
	}
	ctx := context.Background()
	a, db, err := clihelp.Dial(ctx, *dsn)
	if err != nil {
		clihelp.Fail(err)
	}
	defer db.Close()
	perms, err := a.ListRolePermissions(ctx, rest[0])
	if err != nil {
		clihelp.Fail(err)
	}
	for _, p := range perms {
		fmt.Printf("%s\t%s\n", p.Slug, p.Label)
	}
}