domain: add Identity & Access entities (User, Role, Permission, Group)

2026-05-31 03:20:18 +02:00
parent aa432e6594
commit 656da7e945
11 changed files with 234 additions and 2 deletions
--- a/crates/domain/src/entities/group.rs
+++ b/crates/domain/src/entities/group.rs
@@ -0,0 +1,46 @@
+use std::collections::HashSet;
+use crate::errors::DomainError;
+use crate::value_objects::SystemId;
+
+#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
+pub struct Group {
+    pub group_id: SystemId,
+    pub name: String,
+    pub owner_user_id: SystemId,
+    pub members: HashSet<SystemId>,
+}
+
+impl Group {
+    pub fn new(name: impl Into<String>, owner_user_id: SystemId) -> Self {
+        let mut members = HashSet::new();
+        members.insert(owner_user_id);
+        Self {
+            group_id: SystemId::new(),
+            name: name.into(),
+            owner_user_id,
+            members,
+        }
+    }
+
+    pub fn add_member(&mut self, user_id: SystemId) -> Result<(), DomainError> {
+        if self.members.contains(&user_id) {
+            return Err(DomainError::Conflict(format!("User {user_id} is already a member")));
+        }
+        self.members.insert(user_id);
+        Ok(())
+    }
+
+    pub fn remove_member(&mut self, user_id: SystemId) -> Result<(), DomainError> {
+        if user_id == self.owner_user_id {
+            return Err(DomainError::Validation("Cannot remove the group owner".to_string()));
+        }
+        if !self.members.remove(&user_id) {
+            return Err(DomainError::NotFound(format!("User {user_id} is not a member")));
+        }
+        Ok(())
+    }
+
+    pub fn is_member(&self, user_id: &SystemId) -> bool {
+        self.members.contains(user_id)
+    }
+}
--- a/crates/domain/src/entities/mod.rs
+++ b/crates/domain/src/entities/mod.rs
@@ -1,2 +1,9 @@
+pub mod permission;
+pub mod role;
 mod user;
+mod group;
+
+pub use permission::{Permission, PermissionAction, ResourceType};
+pub use role::Role;
 pub use user::User;
+pub use group::Group;
--- a/crates/domain/src/entities/permission.rs
+++ b/crates/domain/src/entities/permission.rs
@@ -0,0 +1,60 @@
+use std::collections::HashSet;
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, serde::Serialize, serde::Deserialize)]
+pub enum PermissionAction {
+    ReadAsset,
+    ReadMetadata,
+    ReadLocation,
+    ReadPerson,
+    WriteMetadata,
+    DeleteAsset,
+    ManageAccess,
+    ManageUsers,
+    ManageSystem,
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, serde::Serialize, serde::Deserialize)]
+pub enum ResourceType {
+    Asset,
+    Album,
+    Collection,
+    Person,
+    Directory,
+    Global,
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, serde::Serialize, serde::Deserialize)]
+pub struct Permission {
+    pub action: PermissionAction,
+    pub resource_type: ResourceType,
+}
+
+impl Permission {
+    pub fn new(action: PermissionAction, resource_type: ResourceType) -> Self {
+        Self { action, resource_type }
+    }
+}
+
+pub fn viewer_permissions() -> HashSet<Permission> {
+    HashSet::from([
+        Permission::new(PermissionAction::ReadAsset, ResourceType::Global),
+        Permission::new(PermissionAction::ReadMetadata, ResourceType::Global),
+    ])
+}
+
+pub fn contributor_permissions() -> HashSet<Permission> {
+    let mut perms = viewer_permissions();
+    perms.insert(Permission::new(PermissionAction::WriteMetadata, ResourceType::Global));
+    perms
+}
+
+pub fn admin_permissions() -> HashSet<Permission> {
+    let mut perms = contributor_permissions();
+    perms.insert(Permission::new(PermissionAction::DeleteAsset, ResourceType::Global));
+    perms.insert(Permission::new(PermissionAction::ManageAccess, ResourceType::Global));
+    perms.insert(Permission::new(PermissionAction::ManageUsers, ResourceType::Global));
+    perms.insert(Permission::new(PermissionAction::ManageSystem, ResourceType::Global));
+    perms.insert(Permission::new(PermissionAction::ReadLocation, ResourceType::Global));
+    perms.insert(Permission::new(PermissionAction::ReadPerson, ResourceType::Global));
+    perms
+}
--- a/crates/domain/src/entities/role.rs
+++ b/crates/domain/src/entities/role.rs
@@ -0,0 +1,26 @@
+use std::collections::HashSet;
+use crate::value_objects::SystemId;
+use super::permission::{Permission, PermissionAction, ResourceType};
+
+#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
+pub struct Role {
+    pub role_id: SystemId,
+    pub name: String,
+    pub permissions: HashSet<Permission>,
+    pub is_system_default: bool,
+}
+
+impl Role {
+    pub fn new(name: impl Into<String>, permissions: HashSet<Permission>, is_system_default: bool) -> Self {
+        Self {
+            role_id: SystemId::new(),
+            name: name.into(),
+            permissions,
+            is_system_default,
+        }
+    }
+
+    pub fn has_permission(&self, action: PermissionAction, resource_type: ResourceType) -> bool {
+        self.permissions.contains(&Permission::new(action, resource_type))
+    }
+}
--- a/crates/domain/src/entities/user.rs
+++ b/crates/domain/src/entities/user.rs
@@ -4,13 +4,20 @@ use crate::value_objects::{Email, PasswordHash, SystemId};
 #[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
 pub struct User {
    pub id: SystemId,
+    pub username: String,
    pub email: Email,
    pub password_hash: PasswordHash,
    pub created_at: DateTime<Utc>,
 }

 impl User {
-    pub fn new(id: SystemId, email: Email, password_hash: PasswordHash) -> Self {
-        Self { id, email, password_hash, created_at: Utc::now() }
+    pub fn new(username: impl Into<String>, email: Email, password_hash: PasswordHash) -> Self {
+        Self {
+            id: SystemId::new(),
+            username: username.into(),
+            email,
+            password_hash,
+            created_at: Utc::now(),
+        }
    }
 }