OneAuth/internal/model/policy.go

package model

// Policy 策略定义
type Policy struct {
	Base
	OrgID       string `json:"org_id" gorm:"index"` // 空表示全局策略
	Code        string `json:"code" gorm:"uniqueIndex;size:50;not null"`
	Name        string `json:"name" gorm:"size:50;not null"`
	Description string `json:"description" gorm:"size:200"`
	Resource    string `json:"resource" gorm:"size:50;not null"` // 资源类型
	Action      string `json:"action" gorm:"size:20;not null"`   // read/create/update/delete/*
	Condition   string `json:"condition" gorm:"type:text"`       // CEL表达式
	Effect      string `json:"effect" gorm:"size:10;default:allow"`
	Priority    int    `json:"priority" gorm:"default:0"`
	IsSystem    bool   `json:"is_system" gorm:"default:false"`
}

func (Policy) TableName() string {
	return "policies"
}

// Role 角色
type Role struct {
	Base
	OrgID       string `json:"org_id" gorm:"index;not null"`
	Code        string `json:"code" gorm:"size:50;not null"`
	Name        string `json:"name" gorm:"size:50;not null"`
	Description string `json:"description" gorm:"size:200"`
	PolicyIDs   string `json:"policy_ids" gorm:"type:text"` // 逗号分隔
	IsDefault   bool   `json:"is_default" gorm:"default:false"`
	IsSystem    bool   `json:"is_system" gorm:"default:false"`
	SortOrder   int    `json:"sort_order" gorm:"default:0"`
}

func (Role) TableName() string {
	return "roles"
}

// Effect 常量
const (
	EffectAllow = "allow"
	EffectDeny  = "deny"
)

// System Policies 系统内置策略编码
const (
	SysPolicyUserReadOwn    = "sys:user:read:own"
	SysPolicyUserUpdateOwn  = "sys:user:update:own"
	SysPolicyUserDeleteOwn  = "sys:user:delete:own"
	SysPolicyOrgAdmin       = "sys:org:admin"
	SysPolicyOrgRead        = "sys:org:read"
	SysPolicyMemberRead     = "sys:member:read"
	SysPolicyMemberManage   = "sys:member:manage"
	SysPolicyRoleRead       = "sys:role:read"
	SysPolicyRoleManage     = "sys:role:manage"
	SysPolicyPolicyRead     = "sys:policy:read"
	SysPolicyPolicyManage   = "sys:policy:manage"
)

// System Roles 系统内置角色编码
const (
	SysRoleOrgOwner  = "owner"
	SysRoleOrgAdmin  = "admin"
	SysRoleOrgMember = "member"
)