feat: ACLRuleInfo.IsRegex

Author: LazuliKao

internal/errs/operate.go

@@ -22,6 +22,7 @@ type ACLPermissionDeniedError struct {
 type ACLRuleInfo struct {
 	RulePath    string
 	Role        string
+	IsRegex     bool
 	Permissions []string
 	Priority    int
 }

internal/model/acl.go

@@ -5,22 +5,23 @@ import "time"
 // ACLRule represents an access control rule for a specific role and path
 type ACLRule struct {
 	ID          uint      `json:"id" gorm:"primaryKey"`
-	Role        string    `json:"role" gorm:"index;not null"` // OIDC role name
-	Path        string    `json:"path" gorm:"not null"`       // path pattern (e.g., "/", "/folder/*")
-	Permissions int32     `json:"permissions"`                // bitwise permissions
-	Priority    int       `json:"priority" gorm:"default:0"`  // higher priority rules override lower ones
+	Role        string    `json:"role" gorm:"index;not null"`    // OIDC role name
+	IsRegex     bool      `json:"is_regex" gorm:"default:false"` // whether Role is a regex pattern
+	Path        string    `json:"path" gorm:"not null"`          // path pattern (e.g., "/", "/folder/*")
+	Permissions int32     `json:"permissions"`                   // bitwise permissions
+	Priority    int       `json:"priority" gorm:"default:0"`     // higher priority rules override lower ones
 	CreatedAt   time.Time `json:"created_at"`
 	UpdatedAt   time.Time `json:"updated_at"`
 }
 
 // ACL Permission bits
 const (
-	ACLPermRead   int32 = 1 << iota // Read/List files
-	ACLPermWrite                    // Upload/Create files
-	ACLPermDelete                   // Delete files
-	ACLPermManage                   // Manage (rename, move, copy)
-	ACLPermShare                    // Create shares
-	ACLPermDownload                 // Download files
+	ACLPermRead     int32 = 1 << iota // Read/List files
+	ACLPermWrite                      // Upload/Create files
+	ACLPermDelete                     // Delete files
+	ACLPermManage                     // Manage (rename, move, copy)
+	ACLPermShare                      // Create shares
+	ACLPermDownload                   // Download files
 )
 
 // HasPermission checks if the rule has a specific permission

internal/op/acl.go

@@ -92,7 +92,7 @@ func CheckACLPermission(ctx context.Context, path string, requiredPerm int32) (*
 
 	for _, rule := range allRules {
 		// Check if rule applies to any of the user's roles
-		if !containsRole(userRoles, rule.Role) {
+		if !containsRole(userRoles, rule.Role, rule.IsRegex) {
 			continue
 		}
 
@@ -125,6 +125,7 @@ func CheckACLPermission(ctx context.Context, path string, requiredPerm int32) (*
 		ruleInfo := &errs.ACLRuleInfo{
 			RulePath:    matchedRule.Path,
 			Role:        matchedRule.Role,
+			IsRegex:     matchedRule.IsRegex,
 			Permissions: getPermissionNames(matchedRule.Permissions),
 			Priority:    matchedRule.Priority,
 		}
@@ -180,7 +181,7 @@ func GetMatchedACLRule(ctx context.Context, path string) (*model.ACLMatchedRule,
 	normalizedPath := normalizePath(path)
 
 	for _, rule := range allRules {
-		if !containsRole(userRoles, rule.Role) {
+		if !containsRole(userRoles, rule.Role, rule.IsRegex) {
 			continue
 		}
 
@@ -227,10 +228,19 @@ func getUserRoles(user *model.User) []string {
 	return roles
 }
 
-func containsRole(roles []string, role string) bool {
+func containsRole(roles []string, role string, isRegex bool) bool {
 	if role == "*" {
 		return true
 	}
+	if isRegex {
+		for _, r := range roles {
+			matched, err := utils.RegexMatch(role, r)
+			if err == nil && matched {
+				return true
+			}
+		}
+		return false
+	}
 	return slices.Contains(roles, role)
 }
 

pkg/utils/regex.go

@@ -0,0 +1,12 @@
+package utils
+
+import "regexp"
+
+// RegexMatch returns true if str matches the given regex pattern.
+func RegexMatch(pattern, str string) (bool, error) {
+	reg, err := regexp.Compile(pattern)
+	if err != nil {
+		return false, err
+	}
+	return reg.MatchString(str), nil
+}

server/handles/acl.go

@@ -10,6 +10,7 @@ import (
 
 type ACLRuleReq struct {
 	Role        string `json:"role" binding:"required"`
+	IsRegex     bool   `json:"is_regex"`
 	Path        string `json:"path" binding:"required"`
 	Permissions int32  `json:"permissions"`
 	Priority    int    `json:"priority"`
@@ -64,6 +65,7 @@ func CreateACLRule(c *gin.Context) {
 	}
 	rule := &model.ACLRule{
 		Role:        req.Role,
+		IsRegex:     req.IsRegex,
 		Path:        req.Path,
 		Permissions: req.Permissions,
 		Priority:    req.Priority,
@@ -122,12 +124,12 @@ func GetPathACLInfo(c *gin.Context) {
 		common.ErrorResp(c, err, 400)
 		return
 	}
-	
+
 	matched, err := op.GetMatchedACLRule(c.Request.Context(), req.Path)
 	if err != nil {
 		common.ErrorResp(c, err, 500)
 		return
 	}
-	
+
 	common.SuccessResp(c, matched)
 }