add an auth context

Signed-off-by: Robert Landers <landers.robert@gmail.com>

Author: withinboredom

cli/auth/resourceManager.go

@@ -4,10 +4,12 @@ import (
 	"context"
 	"durable_php/appcontext"
 	"durable_php/glue"
+	"encoding/json"
 	"github.com/modern-go/concurrent"
 	"github.com/nats-io/nats.go"
 	"github.com/nats-io/nats.go/jetstream"
 	"go.uber.org/zap"
+	"maps"
 	"time"
 )
 
@@ -87,6 +89,47 @@ func (r *ResourceManager) DiscoverResource(ctx context.Context, id *glue.StateId
 	return resource, nil
 }
 
+func (r *ResourceManager) ToAuthContext(ctx context.Context, resource *Resource) ([]byte, error) {
+	var owners []map[string]interface{}
+
+	for o, _ := range resource.Owners {
+		owners = append(owners, map[string]interface{}{
+			"shareType": "owner",
+			"subject":   string(o),
+			"allowed":   []string{string(Owner)},
+		})
+	}
+
+	var shares []map[string]interface{}
+
+	for _, s := range resource.Shares {
+		if u, ok := s.(*UserShare); ok {
+			shares = append(shares, map[string]interface{}{
+				"shareType": "user",
+				"subject":   string(u.UserId),
+				"allowed":   maps.Keys(u.AllowedOperations),
+			})
+		}
+		if r, ok := s.(*RoleShare); ok {
+			shares = append(shares, map[string]interface{}{
+				"shareType": "role",
+				"subject":   string(r.Role),
+				"allowed":   maps.Keys(r.AllowedOperations),
+			})
+		}
+	}
+
+	c := map[string]interface{}{
+		"contextId": map[string]string{
+			"id": resource.id.String(),
+		},
+		"owners": owners,
+		"shares": shares,
+	}
+
+	return json.Marshal(c)
+}
+
 // ScheduleDelete is a method of the ResourceManager struct that is responsible for scheduling the deletion of a
 // resource based on the provided context, resource, and time. It deletes the resource from the key-value store and
 // publishes a delete message to NATS JetStream with a delay specified by the provided time. The resource is identified

cli/glue/glue.go

@@ -4,13 +4,15 @@ import (
 	"bytes"
 	"context"
 	"durable_php/appcontext"
+	"durable_php/auth"
 	"encoding/json"
 	"fmt"
 	"github.com/dunglas/frankenphp"
 	"github.com/nats-io/nats.go"
 	"github.com/nats-io/nats.go/jetstream"
 	"go.uber.org/zap"
 	"io"
+	"maps"
 	"net/http"
 	"net/url"
 	"os"
@@ -126,6 +128,17 @@ func (g *Glue) Execute(ctx context.Context, headers http.Header, logger *zap.Log
 	headers.Add("DPHP_FUNCTION", string(g.function))
 	headers.Add("DPHP_PAYLOAD", g.payload)
 
+	rm := auth.GetResourceManager(ctx, stream)
+	res, err := rm.DiscoverResource(ctx, id, logger, true)
+	if err != nil {
+		logger.Error("DiscoverResource", zap.Error(err))
+		panic(err)
+	}
+	if res != nil {
+		ac, _ := rm.ToAuthContext(ctx, res)
+		headers.Add("DPHP_AUTH_CONTEXT", string(ac))
+	}
+
 	provenance := ctx.Value(appcontext.CurrentUserKey)
 	if provenance != nil {
 		provenanceJson, err := json.Marshal(provenance)

composer.json

@@ -10,7 +10,8 @@
       "Bottledcode\\DurablePhp\\": "src/"
     },
     "files": [
-      "src/functions.php"
+      "src/functions.php",
+      "src/Contexts/AuthContext/functions.php"
     ]
   },
   "autoload-dev": {

src/Contexts/AuthContext.php

@@ -0,0 +1,36 @@
+<?php
+
+namespace Bottledcode\DurablePhp\Contexts;
+
+use Bottledcode\DurablePhp\Contexts\AuthContext\Share;
+use Bottledcode\DurablePhp\Contexts\AuthContext\Share\Owner;
+use Bottledcode\DurablePhp\State\Ids\StateId;
+use Bottledcode\DurablePhp\State\Serializer;
+use Crell\Serde\Attributes\SequenceField;
+use Withinboredom\Record;
+
+abstract readonly class AuthContext extends Record
+{
+    public StateId $contextId;
+
+    /**
+     * @var array<Owner>
+     */
+    #[SequenceField(arrayType: Owner::class)]
+    public array $owners;
+
+    /**
+     * @var array<Share>
+     */
+    #[SequenceField(arrayType: Share::class)]
+    public array $shares;
+
+    public static function fromCurrentContext(): ?AuthContext
+    {
+        if (isset($_SERVER['HTTP_DPHP_AUTH_CONTEXT'])) {
+            return Serializer::deserialize($_SERVER['HTTP_DPHP_AUTH_CONTEXT'], self::class);
+        }
+
+        return null;
+    }
+}

src/Contexts/AuthContext/Share.php

@@ -0,0 +1,27 @@
+<?php
+
+namespace Bottledcode\DurablePhp\Contexts\AuthContext;
+
+use Bottledcode\DurablePhp\Contexts\AuthContext\Share\Owner;
+use Bottledcode\DurablePhp\Contexts\AuthContext\Share\Role;
+use Bottledcode\DurablePhp\Contexts\AuthContext\Share\User;
+use Bottledcode\DurablePhp\Events\Shares\Operation;
+use Crell\Serde\Attributes\SequenceField;
+use Crell\Serde\Attributes\StaticTypeMap;
+use Withinboredom\Record;
+
+#[StaticTypeMap(key: 'shareType', map: [
+    'owner' => Owner::class,
+    'role' => Role::class,
+    'user' => User::class,
+])]
+abstract readonly class Share extends Record
+{
+    public string $subject;
+
+    /**
+     * @var array<Operation>
+     */
+    #[SequenceField(arrayType: Operation::class)]
+    public array $allowed;
+}

src/Contexts/AuthContext/Share/Owner.php

@@ -0,0 +1,29 @@
+<?php
+
+/*
+ * Copyright ©2025 Robert Landers
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the “Software”), to deal
+ *  in the Software without restriction, including without limitation the rights
+ *  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ *  copies of the Software, and to permit persons to whom the Software is
+ *  furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+ * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT
+ * OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
+ * OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+namespace Bottledcode\DurablePhp\Contexts\AuthContext\Share;
+
+use Bottledcode\DurablePhp\Contexts\AuthContext\Share;
+
+readonly class Owner extends Share {}

src/Contexts/AuthContext/Share/Role.php

@@ -0,0 +1,7 @@
+<?php
+
+namespace Bottledcode\DurablePhp\Contexts\AuthContext\Share;
+
+use Bottledcode\DurablePhp\Contexts\AuthContext\Share;
+
+readonly class Role extends Share {}

src/Contexts/AuthContext/Share/User.php

@@ -0,0 +1,7 @@
+<?php
+
+namespace Bottledcode\DurablePhp\Contexts\AuthContext\Share;
+
+use Bottledcode\DurablePhp\Contexts\AuthContext\Share;
+
+readonly class User extends Share {}

src/Contexts/AuthContext/functions.php

@@ -0,0 +1,30 @@
+<?php
+
+namespace Bottledcode\DurablePhp\Contexts\AuthContext;
+
+use Bottledcode\DurablePhp\Contexts\AuthContext\Share\Owner;
+use Bottledcode\DurablePhp\Contexts\AuthContext\Share\Role;
+use Bottledcode\DurablePhp\Contexts\AuthContext\Share\User;
+use Bottledcode\DurablePhp\Events\Shares\Operation;
+use ReflectionClass;
+
+function Owner(string $subject): Owner
+{
+    $ref = new ReflectionClass(Owner::class);
+
+    return $ref->getMethod('fromArgs')->invoke(null, subject: $subject, allowed: [Operation::Owner]);
+}
+
+function Role(string $subject, Operation ...$allowed): Role
+{
+    $ref = new ReflectionClass(Role::class);
+
+    return $ref->getMethod('fromArgs')->invoke(null, subject: $subject, allowed: $allowed);
+}
+
+function User(string $subject, Operation ...$allowed): User
+{
+    $ref = new ReflectionClass(User::class);
+
+    return $ref->getMethod('fromArgs')->invoke(null, subject: $subject, allowed: $allowed);
+}

src/EntityContext.php

@@ -24,7 +24,14 @@
 
 namespace Bottledcode\DurablePhp;
 
+use Bottledcode\DurablePhp\Events\GiveOwnership;
 use Bottledcode\DurablePhp\Events\RaiseEvent;
+use Bottledcode\DurablePhp\Events\RevokeRole;
+use Bottledcode\DurablePhp\Events\RevokeUser;
+use Bottledcode\DurablePhp\Events\ShareOwnership;
+use Bottledcode\DurablePhp\Events\Shares\Operation;
+use Bottledcode\DurablePhp\Events\ShareWithRole;
+use Bottledcode\DurablePhp\Events\ShareWithUser;
 use Bottledcode\DurablePhp\Events\StartExecution;
 use Bottledcode\DurablePhp\Events\TaskCompleted;
 use Bottledcode\DurablePhp\Events\WithDelay;
@@ -188,4 +195,64 @@ public function currentUserId(): string
     {
         return $this->user->userId;
     }
+
+    public function shareOwnership(string $withUser): void
+    {
+        $this->eventDispatcher->fire(
+            WithEntity::forInstance(
+                StateId::fromEntityId($this->id),
+                ShareOwnership::withUser($withUser),
+            ),
+        );
+    }
+
+    public function giveOwnership(string $withUser): void
+    {
+        $this->eventDispatcher->fire(
+            WithEntity::forInstance(
+                StateId::fromEntityId($this->id),
+                GiveOwnership::withUser($withUser),
+            ),
+        );
+    }
+
+    public function grantUser(string $withUser, Operation ...$operation): void
+    {
+        $this->eventDispatcher->fire(
+            WithEntity::forInstance(
+                StateId::fromEntityId($this->id),
+                ShareWithUser::For($withUser, ...$operation),
+            ),
+        );
+    }
+
+    public function grantRole(string $withRole, Operation ...$operation): void
+    {
+        $this->eventDispatcher->fire(
+            WithEntity::forInstance(
+                StateId::fromEntityId($this->id),
+                ShareWithRole::For($withRole, ...$operation),
+            ),
+        );
+    }
+
+    public function revokeUser(string $user): void
+    {
+        $this->eventDispatcher->fire(
+            WithEntity::forInstance(
+                StateId::fromEntityId($this->id),
+                RevokeUser::completely($user),
+            ),
+        );
+    }
+
+    public function revokeRole(string $role): void
+    {
+        $this->eventDispatcher->fire(
+            WithEntity::forInstance(
+                StateId::fromEntityId($this->id),
+                RevokeRole::completely($role),
+            ),
+        );
+    }
 }