kai/ColaFlow
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat(backend): Implement complete RBAC system (Day 5 Phase 2)

Browse Source 
Implemented Role-Based Access Control (RBAC) with 5 tenant-level roles following Clean Architecture principles.

Changes:
- Created TenantRole enum (TenantOwner, TenantAdmin, TenantMember, TenantGuest, AIAgent)
- Created UserTenantRole entity with repository pattern
- Updated JWT service to include role claims (tenant_role, role)
- Updated RegisterTenant to auto-assign TenantOwner role
- Updated Login to query and include user role in JWT
- Updated RefreshToken to preserve role claims
- Added authorization policies in Program.cs (RequireTenantOwner, RequireTenantAdmin, etc.)
- Updated /api/auth/me endpoint to return role information
- Created EF Core migration for user_tenant_roles table
- Applied database migration successfully

Database:
- New table: identity.user_tenant_roles
- Columns: id, user_id, tenant_id, role, assigned_at, assigned_by_user_id
- Indexes: user_id, tenant_id, role, unique(user_id, tenant_id)
- Foreign keys: CASCADE on user and tenant deletion

Testing:
- Created test-rbac.ps1 PowerShell script
- All RBAC tests passing
- JWT tokens contain role claims
- Role persists across login and token refresh

Documentation:
- DAY5-PHASE2-RBAC-IMPLEMENTATION-SUMMARY.md with complete implementation details

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Yaojia Wang
2025-11-03 15:00:39 +01:00
parent 17f3d4a2b3
commit aaab26ba6c
19 changed files with 1714 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
colaflow-api/src/ColaFlow.API/Program.cs
View File

@@ -44,7 +44,30 @@ builder.Services.AddAuthentication(options =>
};
});
builder.Services.AddAuthorization();
// Configure Authorization Policies for RBAC
builder.Services.AddAuthorization(options =>
{
// Tenant Owner only
options.AddPolicy("RequireTenantOwner", policy =>
policy.RequireRole("TenantOwner"));
// Tenant Owner or Tenant Admin
options.AddPolicy("RequireTenantAdmin", policy =>
policy.RequireRole("TenantOwner", "TenantAdmin"));
// Tenant Owner, Tenant Admin, or Tenant Member (excludes Guest and AIAgent)
options.AddPolicy("RequireTenantMember", policy =>
policy.RequireRole("TenantOwner", "TenantAdmin", "TenantMember"));
// Human users only (excludes AIAgent)
options.AddPolicy("RequireHumanUser", policy =>
policy.RequireAssertion(context =>
!context.User.IsInRole("AIAgent")));
// AI Agent only (for MCP integration testing)
options.AddPolicy("RequireAIAgent", policy =>
policy.RequireRole("AIAgent"));
});
// Configure CORS for frontend
builder.Services.AddCors(options =>