RBAC middleware support

docs/navigation.js

@@ -83,6 +83,11 @@ export const navigation = [
                 href: '/docs/advanced-guide/http-authentication',
                 desc: "Implement various HTTP authentication methods to secure your GoFR application and protect sensitive endpoints."
             },
+            {
+                title: 'Role-Based Access Control (RBAC)',
+                href: '/docs/advanced-guide/rbac',
+                desc: "Implement comprehensive Role-Based Access Control with support for roles, permissions, hierarchy, JWT integration, hot reloading, and fine-grained permission-based authorization."
+            },
             {
                 title: 'Circuit Breaker Support',
                 href: '/docs/advanced-guide/circuit-breaker',

go.work

@@ -12,8 +12,8 @@ use (
 	./pkg/gofr/datasource/elasticsearch
 	./pkg/gofr/datasource/file/azure
 	./pkg/gofr/datasource/file/ftp
-	./pkg/gofr/datasource/file/s3
 	./pkg/gofr/datasource/file/gcs
+	./pkg/gofr/datasource/file/s3
 	./pkg/gofr/datasource/file/sftp
 	./pkg/gofr/datasource/influxdb
 	./pkg/gofr/datasource/kv-store/badger
@@ -27,4 +27,5 @@ use (
 	./pkg/gofr/datasource/scylladb
 	./pkg/gofr/datasource/solr
 	./pkg/gofr/datasource/surrealdb
+	./pkg/gofr/rbac
 )

go.work.sum

@@ -345,6 +345,7 @@ github.com/chenzhuoyu/iasm v0.9.0 h1:9fhXjVzq5hUy2gkhhgHl95zG2cEAhw9OSGs8toWWAwo
 github.com/chenzhuoyu/iasm v0.9.0/go.mod h1:Xjy2NpN3h7aUqeqM+woSuuvxmIe6+DDsiNLIrkAmYog=
 github.com/chzyer/logex v1.1.10 h1:Swpa1K6QvQznwJRcfTfQJmTE72DqScAa40E+fbHEXEE=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e h1:fY5BOSpyZCqRo5OhCuC+XN+r/bBCmeuuJtjz+bCNIf8=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/readline v1.5.1 h1:upd/6fQk4src78LMRzh5vItIt361/o4uq553V8B5sGI=
 github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObkaSkeBlk=
@@ -736,8 +737,6 @@ golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
 golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8/go.mod h1:CQ1k9gNrJ50XIzaKCRR2hssIjF07kZFEiieALBM/ARQ=
-golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
-golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/image v0.25.0 h1:Y6uW6rH1y5y/LK1J8BPWZtr6yZ7hrsy6hFrXjgsc2fQ=

pkg/gofr/rbac.go

@@ -0,0 +1,80 @@
+package gofr
+
+import (
+	"net/http"
+
+	"go.opentelemetry.io/otel"
+)
+
+// RBACProvider is the interface for RBAC implementations.
+// External RBAC modules (like gofr.dev/pkg/gofr/rbac) implement this interface.
+type RBACProvider interface {
+	// UseLogger sets the logger for the provider
+	UseLogger(logger any)
+
+	// UseMetrics sets the metrics for the provider
+	UseMetrics(metrics any)
+
+	// UseTracer sets the tracer for the provider
+	UseTracer(tracer any)
+
+	// LoadPermissions loads RBAC configuration from the stored config path
+	LoadPermissions() error
+
+	// ApplyMiddleware returns the middleware function using the stored config
+	// The returned function should be compatible with http.Handler middleware pattern
+	ApplyMiddleware() func(http.Handler) http.Handler
+}
+
+// DefaultRBACConfig is a constant that can be passed to NewProvider to use default config paths.
+// When passed, NewProvider will try: configs/rbac.json, configs/rbac.yaml, configs/rbac.yml.
+const DefaultRBACConfig = ""
+
+// EnableRBAC enables RBAC by loading configuration from a JSON or YAML file.
+// This is a factory function that registers RBAC implementations and sets up the middleware.
+// The config file path is stored in the provider (set via NewProvider).
+//
+// Pure config-based: All authorization rules are defined in the config file using:
+// - Roles: role → permission mapping (format: "resource:action")
+// - Endpoints: route & method → permission mapping
+//
+// Example:
+//
+//	import (
+//		"gofr.dev/pkg/gofr"
+//		"gofr.dev/pkg/gofr/rbac"
+//	)
+//
+//	app := gofr.New()
+//	provider := rbac.NewProvider("configs/rbac.json") // Store config path
+//	app.EnableRBAC(provider) // Uses stored path
+//
+// Role extraction is configured in the config file:
+// - Set "roleHeader" for header-based extraction (e.g., "X-User-Role")
+// - Set "jwtClaimPath" for JWT-based extraction (e.g., "role", "roles[0]").
+func (a *App) EnableRBAC(provider RBACProvider) {
+	if provider == nil {
+		a.Logger().Error("RBAC provider is required. Create one using: provider := rbac.NewProvider(\"configs/rbac.json\")")
+		return
+	}
+
+	// Set logger, metrics, and tracer automatically
+	provider.UseLogger(a.Logger())
+	provider.UseMetrics(a.Metrics())
+
+	tracer := otel.GetTracerProvider().Tracer("gofr-rbac")
+	provider.UseTracer(tracer)
+
+	// Load configuration from file using the provider
+	// Logger is automatically set on config during LoadPermissions
+	if err := provider.LoadPermissions(); err != nil {
+		a.Logger().Errorf("Failed to load RBAC config: %v", err)
+		return
+	}
+
+	a.Logger().Infof("Loaded RBAC config successfully")
+
+	// Apply middleware using the provider
+	middlewareFunc := provider.ApplyMiddleware()
+	a.httpServer.router.Use(middlewareFunc)
+}