feat: add RBAC (Role-Based Access Control) support (#9)

sehwan505 · web-flow · commit 61612b596a4e · 2025-11-12T16:11:07.000+09:00
* feat: add RBAC (Role-Based Access Control) support
* fix: update RBAC tests for admin/developer/viewer roles and fix fmt.Println
diff --git a/cmd/test-rbac/main.go b/cmd/test-rbac/main.go
@@ -0,0 +1,97 @@
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/DevSymphony/sym-cli/internal/roles"
+)
+
+func main() {
+	// Change to test directory
+	if err := os.Chdir("/tmp/rbac-test"); err != nil {
+		fmt.Printf("❌ Failed to change directory: %v\n", err)
+		return
+	}
+
+	fmt.Println("🧪 RBAC 검증 테스트 시작")
+	fmt.Println("================================================================")
+
+	// Test scenarios
+	testCases := []struct {
+		name     string
+		username string
+		files    []string
+	}{
+		{
+			name:     "Frontend Dev - 허용된 파일만",
+			username: "alice",
+			files: []string{
+				"src/components/Button.js",
+				"src/components/ui/Modal.js",
+				"src/hooks/useAuth.js",
+			},
+		},
+		{
+			name:     "Frontend Dev - 거부된 파일 포함",
+			username: "alice",
+			files: []string{
+				"src/components/Button.js",
+				"src/core/engine.js",
+				"src/api/client.js",
+			},
+		},
+		{
+			name:     "Senior Dev - 모든 파일",
+			username: "charlie",
+			files: []string{
+				"src/components/Button.js",
+				"src/core/engine.js",
+				"src/api/client.js",
+				"src/utils/helper.js",
+			},
+		},
+		{
+			name:     "Viewer - 읽기 전용",
+			username: "david",
+			files: []string{
+				"src/components/Button.js",
+			},
+		},
+		{
+			name:     "Frontend Dev - 혼합 케이스",
+			username: "bob",
+			files: []string{
+				"src/hooks/useData.js",
+				"src/core/config.js",
+				"src/utils/format.js",
+				"src/components/Header.js",
+			},
+		},
+	}
+
+	for i, tc := range testCases {
+		fmt.Printf("\n📋 테스트 %d: %s\n", i+1, tc.name)
+		fmt.Printf("   사용자: %s\n", tc.username)
+		fmt.Printf("   파일 수: %d개\n", len(tc.files))
+
+		result, err := roles.ValidateFilePermissions(tc.username, tc.files)
+		if err != nil {
+			fmt.Printf("   ❌ 오류: %v\n", err)
+			continue
+		}
+
+		if result.Allowed {
+			fmt.Printf("   ✅ 결과: 모든 파일 수정 가능\n")
+		} else {
+			fmt.Printf("   ❌ 결과: %d개 파일 수정 불가\n", len(result.DeniedFiles))
+			fmt.Printf("   거부된 파일:\n")
+			for _, file := range result.DeniedFiles {
+				fmt.Printf("      - %s\n", file)
+			}
+		}
+	}
+
+	fmt.Println("\n================================================================")
+	fmt.Println("✅ 테스트 완료!")
+}
diff --git a/internal/cmd/export.go b/internal/cmd/export.go
@@ -0,0 +1,40 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+)
+
+var exportCmd = &cobra.Command{
+	Use:   "export [path]",
+	Short: "현재 작업에 필요한 컨벤션을 추출하여 반환합니다",
+	Long: `현재 작업 컨텍스트에 맞는 관련 컨벤션만 추출하여 반환합니다.
+LLM이 작업 시 컨텍스트에 포함할 수 있도록 최적화된 형태로 제공됩니다.`,
+	Args: cobra.MaximumNArgs(1),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		path := "."
+		if len(args) > 0 {
+			path = args[0]
+		}
+
+		context, _ := cmd.Flags().GetString("context")
+		format, _ := cmd.Flags().GetString("format")
+
+		fmt.Printf("Exporting conventions for: %s\n", path)
+		fmt.Printf("Context: %s\n", context)
+		fmt.Printf("Format: %s\n", format)
+
+		// TODO: 실제 내보내기 로직 구현
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(exportCmd)
+
+	exportCmd.Flags().StringP("context", "c", "", "work context description")
+	exportCmd.Flags().StringP("format", "f", "text", "output format (text|json|markdown)")
+	exportCmd.Flags().StringSlice("files", []string{}, "files being modified")
+	exportCmd.Flags().StringSlice("languages", []string{}, "programming languages involved")
+}
diff --git a/internal/roles/rbac.go b/internal/roles/rbac.go
@@ -0,0 +1,190 @@
+package roles
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/DevSymphony/sym-cli/internal/git"
+	"github.com/DevSymphony/sym-cli/internal/policy"
+	"github.com/DevSymphony/sym-cli/pkg/schema"
+)
+
+// ValidationResult represents the result of RBAC validation
+type ValidationResult struct {
+	Allowed     bool     // true if all files are allowed, false if any are denied
+	DeniedFiles []string // list of files that are denied (empty if Allowed is true)
+}
+
+// GetUserPolicyPath returns the path to user-policy.json in the current repo
+func GetUserPolicyPath() (string, error) {
+	repoRoot, err := git.GetRepoRoot()
+	if err != nil {
+		return "", err
+	}
+	return filepath.Join(repoRoot, ".sym", "user-policy.json"), nil
+}
+
+// LoadUserPolicyFromRepo loads user-policy.json from the current repository
+func LoadUserPolicyFromRepo() (*schema.UserPolicy, error) {
+	policyPath, err := GetUserPolicyPath()
+	if err != nil {
+		return nil, err
+	}
+
+	// Check if file exists
+	if _, err := os.Stat(policyPath); os.IsNotExist(err) {
+		return nil, fmt.Errorf("user-policy.json not found at %s. Run 'sym init' to create it", policyPath)
+	}
+
+	// Use existing loader
+	loader := policy.NewLoader(false)
+	return loader.LoadUserPolicy(policyPath)
+}
+
+// matchPattern checks if a file path matches a glob pattern
+// Supports ** (match any directory level) and * (match within directory)
+func matchPattern(pattern, path string) bool {
+	// Normalize paths
+	pattern = filepath.ToSlash(pattern)
+	path = filepath.ToSlash(path)
+
+	// Handle ** pattern (match any directory level)
+	if strings.Contains(pattern, "**") {
+		parts := strings.Split(pattern, "**")
+		if len(parts) == 2 {
+			prefix := strings.TrimSuffix(parts[0], "/")
+			suffix := strings.TrimPrefix(parts[1], "/")
+
+			// Check prefix
+			if prefix != "" && !strings.HasPrefix(path, prefix) {
+				return false
+			}
+
+			// Check suffix
+			if suffix != "" {
+				// Remove prefix from path
+				remaining := path
+				if prefix != "" {
+					remaining = strings.TrimPrefix(path, prefix+"/")
+				}
+
+				// Check if suffix matches
+				if suffix == "*" {
+					return true
+				}
+				if strings.HasSuffix(suffix, "/*") {
+					// Match directory and any file in it
+					dir := strings.TrimSuffix(suffix, "/*")
+					return strings.Contains(remaining, dir+"/") || strings.HasPrefix(remaining, dir+"/")
+				}
+				// Exact match or contains the path
+				return strings.Contains(remaining, suffix) || strings.HasSuffix(remaining, suffix)
+			}
+			return true
+		}
+	}
+
+	// Handle simple * pattern
+	if strings.Contains(pattern, "*") {
+		matched, _ := filepath.Match(pattern, path)
+		return matched
+	}
+
+	// Exact match or prefix match
+	if strings.HasSuffix(pattern, "/") {
+		return strings.HasPrefix(path, pattern)
+	}
+
+	return path == pattern || strings.HasPrefix(path, pattern+"/")
+}
+
+// checkFilePermission checks if a single file is allowed for the given role
+func checkFilePermission(filePath string, role *schema.UserRole) bool {
+	// Check denyWrite first (deny takes precedence)
+	for _, denyPattern := range role.DenyWrite {
+		if matchPattern(denyPattern, filePath) {
+			return false
+		}
+	}
+
+	// If no allowWrite patterns, allow by default
+	if len(role.AllowWrite) == 0 {
+		return true
+	}
+
+	// Check allowWrite patterns
+	for _, allowPattern := range role.AllowWrite {
+		if matchPattern(allowPattern, filePath) {
+			return true
+		}
+	}
+
+	// Not explicitly allowed
+	return false
+}
+
+// ValidateFilePermissions validates if a user can modify the given files
+// Returns ValidationResult with Allowed=true if all files are permitted,
+// or Allowed=false with a list of denied files
+func ValidateFilePermissions(username string, files []string) (*ValidationResult, error) {
+	// Get user's role (this internally loads roles.json)
+	userRole, err := GetUserRole(username)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get user role: %w", err)
+	}
+
+	if userRole == "none" {
+		return &ValidationResult{
+			Allowed:     false,
+			DeniedFiles: files, // All files denied if user has no role
+		}, nil
+	}
+
+	// Load user-policy.json
+	userPolicy, err := LoadUserPolicyFromRepo()
+	if err != nil {
+		return nil, fmt.Errorf("failed to load user policy: %w", err)
+	}
+
+	// Check if RBAC is defined in policy
+	if userPolicy.RBAC == nil || userPolicy.RBAC.Roles == nil {
+		// No RBAC defined, allow all files
+		return &ValidationResult{
+			Allowed:     true,
+			DeniedFiles: []string{},
+		}, nil
+	}
+
+	// Get role configuration from policy
+	roleConfig, exists := userPolicy.RBAC.Roles[userRole]
+	if !exists {
+		// Role not defined in policy, deny all
+		return &ValidationResult{
+			Allowed:     false,
+			DeniedFiles: files,
+		}, nil
+	}
+
+	// Check each file
+	deniedFiles := []string{}
+	for _, file := range files {
+		if !checkFilePermission(file, &roleConfig) {
+			deniedFiles = append(deniedFiles, file)
+		}
+	}
+
+	// Return result
+	if len(deniedFiles) == 0 {
+		return &ValidationResult{
+			Allowed:     true,
+			DeniedFiles: []string{},
+		}, nil
+	}
+
+	return &ValidationResult{
+		Allowed:     false,
+		DeniedFiles: deniedFiles,
+	}, nil
+}
diff --git a/tests/integration/rbac_test.go b/tests/integration/rbac_test.go
