From 48fbffcd4d92917789487a75ace38e517b9445f7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 12 Mar 2026 11:56:53 +0000 Subject: [PATCH 1/3] Initial plan From 51b9a85d288ffaa2f8874c3a0f4ae594843aa803 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 12 Mar 2026 11:58:55 +0000 Subject: [PATCH 2/3] docs: document step.authz_add_policy, step.authz_remove_policy, step.authz_role_assign Co-authored-by: intel352 <77607+intel352@users.noreply.github.com> --- README.md | 125 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 125 insertions(+) diff --git a/README.md b/README.md index 83e4a12..7cf319b 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,9 @@ RBAC authorization plugin for the [workflow engine](https://github.com/GoCodeAlo |---|---| | Module | `authz.casbin` | | Step | `step.authz_check_casbin` | +| Step | `step.authz_add_policy` | +| Step | `step.authz_remove_policy` | +| Step | `step.authz_role_assign` | ## authz.casbin module @@ -79,6 +82,128 @@ On denial (HTTP 403): } ``` +## step.authz_add_policy pipeline step + +Adds a policy rule to the Casbin enforcer at runtime. Each element of `rule` may be a static string or a Go template rendered against the merged pipeline context (trigger data, prior step outputs, and current context). + +```yaml +steps: + - type: step.authz_add_policy + config: + module: authz # authz.casbin module name (default: "authz") + rule: ["editor", "/api/posts", "POST"] # policy rule; each element may be a Go template +``` + +Template-based rule (values resolved from the pipeline context at runtime): + +```yaml +steps: + - type: step.authz_add_policy + config: + module: authz + rule: ["{{.role}}", "{{.resource}}", "{{.method}}"] +``` + +On success the step outputs: + +```json +{ + "authz_policy_added": true, + "authz_rule": ["editor", "/api/posts", "POST"] +} +``` + +`authz_policy_added` is `false` when the rule already existed in the enforcer. + +## step.authz_remove_policy pipeline step + +Removes a policy rule from the Casbin enforcer at runtime. Mirrors `step.authz_add_policy` in configuration; each element of `rule` may be a static string or a Go template. + +```yaml +steps: + - type: step.authz_remove_policy + config: + module: authz # authz.casbin module name (default: "authz") + rule: ["editor", "/api/posts", "POST"] # policy rule to remove; elements may be Go templates +``` + +Template-based rule: + +```yaml +steps: + - type: step.authz_remove_policy + config: + module: authz + rule: ["{{.role}}", "{{.resource}}", "{{.method}}"] +``` + +On success the step outputs: + +```json +{ + "authz_policy_removed": true, + "authz_rule": ["editor", "/api/posts", "POST"] +} +``` + +`authz_policy_removed` is `false` when the rule did not exist in the enforcer. + +## step.authz_role_assign pipeline step + +Adds or removes role mappings (grouping policies) in the Casbin enforcer at runtime. Useful for provisioning authorization when new users or tenants are onboarded. + +| Config field | Type | Default | Description | +|---|---|---|---| +| `module` | string | `"authz"` | Name of the `authz.casbin` module | +| `action` | string | `"add"` | `"add"` to assign a role, `"remove"` to revoke it | +| `assignments` | list of `[user, role]` | — | One or more `[user, role]` pairs; each value may be a Go template | + +**Assign roles (static):** + +```yaml +steps: + - type: step.authz_role_assign + config: + module: authz + action: add # "add" (default) or "remove" + assignments: + - ["alice", "admin"] + - ["bob", "editor"] +``` + +**Assign a role using templates** (values resolved from the pipeline context at runtime): + +```yaml +steps: + - type: step.authz_role_assign + config: + module: authz + action: add + assignments: + - ["{{.new_user_id}}", "{{.tenant_role}}"] +``` + +**Revoke a role:** + +```yaml +steps: + - type: step.authz_role_assign + config: + module: authz + action: remove + assignments: + - ["bob", "editor"] +``` + +On success the step outputs: + +```json +{ + "authz_role_action": "add", + "authz_role_assignments": [["alice", "admin"], ["bob", "editor"]] +} +``` + ## Build ```sh From 87bda79b064dca52e6eb8b0301007d3f7050e3a4 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 12 Mar 2026 13:59:38 +0000 Subject: [PATCH 3/3] docs: clarify add_policy persistence behavior and role_assign grouping policy row shape Co-authored-by: intel352 <77607+intel352@users.noreply.github.com> --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7cf319b..b0cf162 100644 --- a/README.md +++ b/README.md @@ -84,7 +84,7 @@ On denial (HTTP 403): ## step.authz_add_policy pipeline step -Adds a policy rule to the Casbin enforcer at runtime. Each element of `rule` may be a static string or a Go template rendered against the merged pipeline context (trigger data, prior step outputs, and current context). +Adds a policy rule to the Casbin enforcer at runtime; when the rule actually changes the policy (that is, it is newly added), the step saves the updated policy via the module's configured Casbin adapter (file/GORM adapters persist to their backing store, while the in-memory adapter keeps changes for the lifetime of the process). Each element of `rule` may be a static string or a Go template rendered against the merged pipeline context (trigger data, prior step outputs, and current context). ```yaml steps: @@ -156,7 +156,7 @@ Adds or removes role mappings (grouping policies) in the Casbin enforcer at runt |---|---|---|---| | `module` | string | `"authz"` | Name of the `authz.casbin` module | | `action` | string | `"add"` | `"add"` to assign a role, `"remove"` to revoke it | -| `assignments` | list of `[user, role]` | — | One or more `[user, role]` pairs; each value may be a Go template | +| `assignments` | list of grouping policy rows | — | One or more grouping policy rows, each with at least `[user, role]`; each value may be a Go template | **Assign roles (static):**