package handler import ( "context" "encoding/json" "errors" "net/http" "strconv" "strings" "github.com/shankar0123/certctl/internal/api/middleware" "github.com/shankar0123/certctl/internal/domain" "github.com/shankar0123/certctl/internal/service" ) // AgentGroupService defines the service interface for agent group operations. type AgentGroupService interface { ListAgentGroups(ctx context.Context, page, perPage int) ([]domain.AgentGroup, int64, error) GetAgentGroup(ctx context.Context, id string) (*domain.AgentGroup, error) CreateAgentGroup(ctx context.Context, group domain.AgentGroup) (*domain.AgentGroup, error) UpdateAgentGroup(ctx context.Context, id string, group domain.AgentGroup) (*domain.AgentGroup, error) DeleteAgentGroup(ctx context.Context, id string) error ListMembers(ctx context.Context, id string) ([]domain.Agent, int64, error) } // AgentGroupHandler handles HTTP requests for agent group operations. // // Error dispatch (post-M-1): every service error routes through the [errToStatus] // choke point via `errors.Is` walking the wrap chain, with one explicit // [service.ErrValidation] arm on the write paths (Create, Update) so the // composed "validation: " message the service layer // attaches via `fmt.Errorf("%w: ...", ErrValidation)` can be passed through to // the 400 response body. Before M-1, the Create handler branched on // `strings.Contains(err.Error(), "invalid"|"required")` — fragile because a // single reword in [service.validateAgentGroup] would demote the 400 to 500 // with no compile-time signal — and the Update/Delete handlers branched on // `strings.Contains(err.Error(), "not found")`, coupling HTTP classification // to repository human-readable strings. Both now ride the typed // [repository.ErrNotFound] wrap through errToStatus. Mirrors ProfileHandler. type AgentGroupHandler struct { svc AgentGroupService } // NewAgentGroupHandler creates a new AgentGroupHandler with a service dependency. func NewAgentGroupHandler(svc AgentGroupService) AgentGroupHandler { return AgentGroupHandler{svc: svc} } // ListAgentGroups lists all agent groups. // GET /api/v1/agent-groups?page=1&per_page=50 func (h AgentGroupHandler) ListAgentGroups(w http.ResponseWriter, r *http.Request) { if r.Method != http.MethodGet { Error(w, http.StatusMethodNotAllowed, "Method not allowed") return } requestID := middleware.GetRequestID(r.Context()) page := 1 perPage := 50 query := r.URL.Query() if p := query.Get("page"); p != "" { if parsed, err := strconv.Atoi(p); err == nil && parsed > 0 { page = parsed } } if pp := query.Get("per_page"); pp != "" { if parsed, err := strconv.Atoi(pp); err == nil && parsed > 0 && parsed <= 500 { perPage = parsed } } groups, total, err := h.svc.ListAgentGroups(r.Context(), page, perPage) if err != nil { ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list agent groups", requestID) return } response := PagedResponse{ Data: groups, Total: total, Page: page, PerPage: perPage, } JSON(w, http.StatusOK, response) } // GetAgentGroup retrieves a single agent group by ID. // GET /api/v1/agent-groups/{id} func (h AgentGroupHandler) GetAgentGroup(w http.ResponseWriter, r *http.Request) { if r.Method != http.MethodGet { Error(w, http.StatusMethodNotAllowed, "Method not allowed") return } requestID := middleware.GetRequestID(r.Context()) id := strings.TrimPrefix(r.URL.Path, "/api/v1/agent-groups/") if id == "" || strings.Contains(id, "/") { ErrorWithRequestID(w, http.StatusBadRequest, "Agent group ID is required", requestID) return } group, err := h.svc.GetAgentGroup(r.Context(), id) if err != nil { // M-1: route through errToStatus so a repo-level `sql.ErrNoRows` // (wrapped as repository.ErrNotFound) becomes 404, but a transient DB // failure no longer masquerades as 404 — it correctly surfaces 500. The // pre-M-1 "any error → 404" shortcut was plausible when Get's only // expected failure was "not found", but the choke point now gives us // correct dispatch for free. Mirrors GetProfile. status := errToStatus(err) msg := "Failed to get agent group" if status == http.StatusNotFound { msg = "Agent group not found" } ErrorWithRequestID(w, status, msg, requestID) return } JSON(w, http.StatusOK, group) } // CreateAgentGroup creates a new agent group. // POST /api/v1/agent-groups func (h AgentGroupHandler) CreateAgentGroup(w http.ResponseWriter, r *http.Request) { if r.Method != http.MethodPost { Error(w, http.StatusMethodNotAllowed, "Method not allowed") return } requestID := middleware.GetRequestID(r.Context()) var group domain.AgentGroup if err := json.NewDecoder(r.Body).Decode(&group); err != nil { ErrorWithRequestID(w, http.StatusBadRequest, "Invalid request body", requestID) return } if err := ValidateRequired("name", group.Name); err != nil { ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID) return } if err := ValidateStringLength("name", group.Name, 255); err != nil { ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID) return } created, err := h.svc.CreateAgentGroup(r.Context(), group) if err != nil { // M-1: replace the 2-term substring net (`"invalid"|"required"`) with a // single `errors.Is(err, service.ErrValidation)` arm. validateAgentGroup // wraps every field-specific failure via `fmt.Errorf("%w: ", // ErrValidation)`, so `err.Error()` still contains the human-readable // reason (e.g., "agent group name is required") and can be safely passed // to the 400 body — but the status decision no longer depends on the // exact wording. Other errors redact to a generic 500. Mirrors // CreateProfile. if errors.Is(err, service.ErrValidation) { ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID) return } ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to create agent group", requestID) return } JSON(w, http.StatusCreated, created) } // UpdateAgentGroup updates an existing agent group. // PUT /api/v1/agent-groups/{id} func (h AgentGroupHandler) UpdateAgentGroup(w http.ResponseWriter, r *http.Request) { if r.Method != http.MethodPut { Error(w, http.StatusMethodNotAllowed, "Method not allowed") return } requestID := middleware.GetRequestID(r.Context()) id := strings.TrimPrefix(r.URL.Path, "/api/v1/agent-groups/") parts := strings.Split(id, "/") if len(parts) == 0 || parts[0] == "" { ErrorWithRequestID(w, http.StatusBadRequest, "Agent group ID is required", requestID) return } id = parts[0] var group domain.AgentGroup if err := json.NewDecoder(r.Body).Decode(&group); err != nil { ErrorWithRequestID(w, http.StatusBadRequest, "Invalid request body", requestID) return } updated, err := h.svc.UpdateAgentGroup(r.Context(), id, group) if err != nil { // M-1: explicit ErrValidation arm preserves the user-facing reason in // the 400 body (validateAgentGroup wraps every failure via // `fmt.Errorf("%w: ...", ErrValidation)`); every other error — including // repo-layer ErrNotFound on a missing row — routes through errToStatus // so the 404/500 decision no longer depends on substring matching. // Mirrors UpdateProfile. if errors.Is(err, service.ErrValidation) { ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID) return } status := errToStatus(err) msg := "Failed to update agent group" if status == http.StatusNotFound { msg = "Agent group not found" } ErrorWithRequestID(w, status, msg, requestID) return } JSON(w, http.StatusOK, updated) } // DeleteAgentGroup deletes an agent group. // DELETE /api/v1/agent-groups/{id} func (h AgentGroupHandler) DeleteAgentGroup(w http.ResponseWriter, r *http.Request) { if r.Method != http.MethodDelete { Error(w, http.StatusMethodNotAllowed, "Method not allowed") return } requestID := middleware.GetRequestID(r.Context()) id := strings.TrimPrefix(r.URL.Path, "/api/v1/agent-groups/") if id == "" || strings.Contains(id, "/") { ErrorWithRequestID(w, http.StatusBadRequest, "Agent group ID is required", requestID) return } if err := h.svc.DeleteAgentGroup(r.Context(), id); err != nil { // M-1: sentinel dispatch replaces the substring 404 check — see the // parallel comment block in UpdateAgentGroup for the rationale. Mirrors // DeleteProfile. status := errToStatus(err) msg := "Failed to delete agent group" if status == http.StatusNotFound { msg = "Agent group not found" } ErrorWithRequestID(w, status, msg, requestID) return } w.WriteHeader(http.StatusNoContent) } // ListAgentGroupMembers lists agents in a group. // GET /api/v1/agent-groups/{id}/members func (h AgentGroupHandler) ListAgentGroupMembers(w http.ResponseWriter, r *http.Request) { if r.Method != http.MethodGet { Error(w, http.StatusMethodNotAllowed, "Method not allowed") return } requestID := middleware.GetRequestID(r.Context()) // Parse ID from: /api/v1/agent-groups/{id}/members path := strings.TrimPrefix(r.URL.Path, "/api/v1/agent-groups/") parts := strings.Split(path, "/") if len(parts) < 2 || parts[0] == "" { ErrorWithRequestID(w, http.StatusBadRequest, "Agent group ID is required", requestID) return } id := parts[0] members, total, err := h.svc.ListMembers(r.Context(), id) if err != nil { ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list group members", requestID) return } response := PagedResponse{ Data: members, Total: total, Page: 1, PerPage: int(total), } JSON(w, http.StatusOK, response) }