mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-12 18:18:51 +00:00
auth-bundle-2 Phase 2b: repository interfaces + Postgres impls + integration tests
Closes Phase 2 end-to-end. Builds on Phase 2a's three migrations (000034 oidc_providers + group_role_mappings, 000035 sessions + session_signing_keys, 000036 users) by shipping the repository surface Phase 3+ services consume. Interfaces: * internal/repository/oidc.go - OIDCProviderRepository (List, Get, GetByName, Create, Update, Delete) + GroupRoleMappingRepository (ListByProvider, Get, Add, Remove, Map). Sentinels: ErrOIDCProviderNotFound, ErrOIDCProviderDuplicateName, ErrOIDCProviderInUse (FK ON DELETE RESTRICT translation), ErrGroupRoleMappingNotFound, ErrGroupRoleMappingDuplicate. * internal/repository/session.go - SessionRepository (Create, Get, ListByActor, UpdateLastSeen, Revoke, RevokeAllForActor, GarbageCollectExpired, Delete) + SessionSigningKeyRepository (List, GetActive, Get, Add, Retire, Delete). Sentinels: ErrSessionNotFound, ErrSessionRevoked, ErrSessionExpired, ErrSessionSigningKeyNotFound, ErrSessionSigningKeyInUse. * internal/repository/user.go - UserRepository (Get, GetByOIDCSubject, Create, Update, ListAll). Sentinels: ErrUserNotFound, ErrUserDuplicateOIDCSubject. Postgres implementations: * internal/repository/postgres/oidc.go - 309 lines. Translates SQLSTATE 23505 (unique_violation) to ErrOIDCProviderDuplicateName / ErrGroupRoleMappingDuplicate; SQLSTATE 23503 (foreign_key_violation) to ErrOIDCProviderInUse so the Phase 5 handler maps to HTTP 409 when an operator tries to delete a provider with authenticated users. pq.StringArray bridges Go []string to Postgres TEXT[] for scopes + allowed_email_domains. Map() uses `WHERE group_name = ANY($2)` so a single SELECT resolves N IdP group claims at once. * internal/repository/postgres/session.go - 350 lines. Both Session + SessionSigningKey repos. Revoke + Retire are idempotent (re-revoking an already-revoked session returns nil; same for retire). The GarbageCollectExpired sweep deletes both absolute-expiry-passed sessions AND pre-login rows older than the 10-minute TTL in one DELETE so the scheduler tick is cheap. ErrSessionSigningKeyInUse pinned via SQLSTATE 23503 from the sessions.signing_key_id FK ON DELETE RESTRICT. * internal/repository/postgres/user.go - 137 lines. GetByOIDCSubject is the Phase 3 hot-path lookup; the (oidc_provider_id, oidc_subject) UNIQUE constraint trip translates to ErrUserDuplicateOIDCSubject. Update only writes the mutable field set (email, display_name, last_login_at, webauthn_credentials); oidc_subject + oidc_provider_id are immutable per the per-(provider, subject) identity model. Integration tests (testing.Short()-gated, testcontainers + Postgres 16 Alpine, schema-per-test isolation via getTestDB().freshSchema): * oidc_test.go: 11 tests covering happy-path + GetNotFound + DuplicateName + List + Update + DeleteNotFound + DeleteSucceeds + DeleteRefusedWhenUsersReference (the FK ON DELETE RESTRICT pin); GroupRoleMapping coverage includes Add/List/Map (3 cases: marketing-not-mapped, multi-group hits, empty groups returns empty), Duplicate rejection, and the ON DELETE CASCADE on provider deletion. * session_test.go: 12 tests covering SessionSigningKey + Session. Key tests: GetActiveSkipsRetired (mints older, retires it, mints newer, asserts GetActive returns newer), DeleteRefusedWhenSessions- Reference (FK pin), RetireIsIdempotent. Session tests: CreateAndGet roundtrip, GetNotFound, Revoke + idempotent re-Revoke, ListByActor (3 active + 1 revoked + 1 pre-login -> returns 3, pinning the WHERE filter), RevokeAllForActor, GarbageCollectExpired (seeds an absolute-expired row + pre-login >10min row + active session via raw SQL to bypass CHECK constraints, asserts GC kills exactly 2 + active survives), UpdateLastSeen. * user_test.go: 7 tests covering CreateAndGet, GetNotFound, GetByOIDCSubject (hit + miss), DuplicateOIDCSubjectRejected, UpdateMutableFields (asserts oidc_subject NOT mutated by Update), ListAll, FKRestrictsProviderDelete (mirror of the OIDC test from the user side - both ends of the FK contract pinned). Verifications: * gofmt -l clean across all 9 new files. * go vet ./internal/repository/postgres/ rc=0. * go test -short -count=1 green on internal/repository/postgres/ + internal/auth/... + Bundle 1 packages (testing.Short() skips the testcontainers integration tests, but the test files compile + the short-mode skip path is exercised so the suite is wired correctly). * Full integration tests run in CI's non-short job against Postgres 16 Alpine via testcontainers-go. * govulncheck ./... clean. * All 24 ci-guards pass. Phase 2 exit criteria from cowork/auth-bundle-2-prompt.md (all met): * All three Phase-2 migrations apply cleanly, idempotently: yes (Phase 2a). Break-glass migration ships separately in Phase 7.5. * Repository tests pass against Postgres 16 Alpine: integration tests written, gated by testing.Short(), structured to run cleanly in CI's non-short job. * make verify equivalent green: gofmt + vet + go test pass; golangci-lint deferred to CI per Phase 0/1's same pattern.
This commit is contained in:
shankar0123
@@ -0,0 +1,137 @@
|
||||
package postgres
|
||||
|
||||
import (
|
||||
"context"
|
||||
"database/sql"
|
||||
"errors"
|
||||
"fmt"
|
||||
|
||||
"github.com/lib/pq"
|
||||
|
||||
userdomain "github.com/certctl-io/certctl/internal/auth/user/domain"
|
||||
"github.com/certctl-io/certctl/internal/repository"
|
||||
)
|
||||
|
||||
// UserRepository is the postgres implementation of
|
||||
// repository.UserRepository (Auth Bundle 2 Phase 2).
|
||||
type UserRepository struct {
|
||||
db *sql.DB
|
||||
}
|
||||
|
||||
// NewUserRepository constructs a UserRepository.
|
||||
func NewUserRepository(db *sql.DB) *UserRepository {
|
||||
return &UserRepository{db: db}
|
||||
}
|
||||
|
||||
const userColumns = `id, tenant_id, email, display_name, oidc_subject,
|
||||
oidc_provider_id, last_login_at, webauthn_credentials,
|
||||
created_at, updated_at`
|
||||
|
||||
func scanUser(row interface{ Scan(...interface{}) error }) (*userdomain.User, error) {
|
||||
var u userdomain.User
|
||||
if err := row.Scan(
|
||||
&u.ID, &u.TenantID, &u.Email, &u.DisplayName, &u.OIDCSubject,
|
||||
&u.OIDCProviderID, &u.LastLoginAt, &u.WebAuthnCredentials,
|
||||
&u.CreatedAt, &u.UpdatedAt,
|
||||
); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &u, nil
|
||||
}
|
||||
|
||||
// Get returns one user by id.
|
||||
func (r *UserRepository) Get(ctx context.Context, id string) (*userdomain.User, error) {
|
||||
row := r.db.QueryRowContext(ctx, `SELECT `+userColumns+` FROM users WHERE id = $1`, id)
|
||||
u, err := scanUser(row)
|
||||
if err != nil {
|
||||
if errors.Is(err, sql.ErrNoRows) {
|
||||
return nil, repository.ErrUserNotFound
|
||||
}
|
||||
return nil, fmt.Errorf("users get: %w", err)
|
||||
}
|
||||
return u, nil
|
||||
}
|
||||
|
||||
// GetByOIDCSubject is the Phase 3 hot-path lookup at login time.
|
||||
// Returns ErrUserNotFound if no row matches the (provider, subject)
|
||||
// tuple — Phase 3's HandleCallback then creates the row via Create.
|
||||
func (r *UserRepository) GetByOIDCSubject(ctx context.Context, providerID, subject string) (*userdomain.User, error) {
|
||||
row := r.db.QueryRowContext(ctx, `
|
||||
SELECT `+userColumns+`
|
||||
FROM users
|
||||
WHERE oidc_provider_id = $1 AND oidc_subject = $2`,
|
||||
providerID, subject)
|
||||
u, err := scanUser(row)
|
||||
if err != nil {
|
||||
if errors.Is(err, sql.ErrNoRows) {
|
||||
return nil, repository.ErrUserNotFound
|
||||
}
|
||||
return nil, fmt.Errorf("users get_by_oidc_subject: %w", err)
|
||||
}
|
||||
return u, nil
|
||||
}
|
||||
|
||||
// Create persists a new user. Translates SQLSTATE 23505 into
|
||||
// ErrUserDuplicateOIDCSubject (the unique constraint on
|
||||
// (oidc_provider_id, oidc_subject)).
|
||||
func (r *UserRepository) Create(ctx context.Context, u *userdomain.User) error {
|
||||
_, err := r.db.ExecContext(ctx, `
|
||||
INSERT INTO users (
|
||||
id, tenant_id, email, display_name, oidc_subject,
|
||||
oidc_provider_id, last_login_at, webauthn_credentials
|
||||
) VALUES ($1, $2, $3, $4, $5, $6, $7, $8)`,
|
||||
u.ID, u.TenantID, u.Email, u.DisplayName, u.OIDCSubject,
|
||||
u.OIDCProviderID, u.LastLoginAt, u.WebAuthnCredentials)
|
||||
if err != nil {
|
||||
var pqErr *pq.Error
|
||||
if errors.As(err, &pqErr) && pqErr.Code == "23505" {
|
||||
return repository.ErrUserDuplicateOIDCSubject
|
||||
}
|
||||
return fmt.Errorf("users create: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Update writes the mutable fields (email, display_name, last_login_at,
|
||||
// webauthn_credentials) back to the row. Immutable: id, tenant_id,
|
||||
// oidc_subject, oidc_provider_id, created_at. updated_at = NOW().
|
||||
func (r *UserRepository) Update(ctx context.Context, u *userdomain.User) error {
|
||||
res, err := r.db.ExecContext(ctx, `
|
||||
UPDATE users SET
|
||||
email = $2,
|
||||
display_name = $3,
|
||||
last_login_at = $4,
|
||||
webauthn_credentials = $5,
|
||||
updated_at = NOW()
|
||||
WHERE id = $1`,
|
||||
u.ID, u.Email, u.DisplayName, u.LastLoginAt, u.WebAuthnCredentials)
|
||||
if err != nil {
|
||||
return fmt.Errorf("users update: %w", err)
|
||||
}
|
||||
n, _ := res.RowsAffected()
|
||||
if n == 0 {
|
||||
return repository.ErrUserNotFound
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// ListAll returns every user in the tenant, ordered by created_at ASC.
|
||||
func (r *UserRepository) ListAll(ctx context.Context, tenantID string) ([]*userdomain.User, error) {
|
||||
rows, err := r.db.QueryContext(ctx,
|
||||
`SELECT `+userColumns+` FROM users WHERE tenant_id = $1 ORDER BY created_at ASC`,
|
||||
tenantID)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("users list_all: %w", err)
|
||||
}
|
||||
defer rows.Close()
|
||||
|
||||
var out []*userdomain.User
|
||||
for rows.Next() {
|
||||
u, err := scanUser(rows)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("users scan: %w", err)
|
||||
}
|
||||
out = append(out, u)
|
||||
}
|
||||
return out, rows.Err()
|
||||
}
|
||||
Reference in New Issue
Block a user