gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:01:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
130a65f3b6aa1761b1161410fd2af469de9901cb
certctl/migrations/000027_approval_workflow.up.sql
T
shankar0123 75097909e9
2026-05-05 18:18:29 +00:00

67 lines
3.0 KiB
SQL
Raw Blame History

-- 000027_approval_workflow.up.sql
-- Rank 7 of the 2026-05-03 Infisical deep-research deliverable
-- (the project's deep-research deliverable, Part 5). Two-person
-- integrity / four-eyes principle for compliance-tier certificate
-- issuance. CertificateProfile.RequiresApproval gates the renewal-
-- loop entry; issuance_approval_requests captures the per-job
-- decision with full audit trail.
--
-- All operations use IF NOT EXISTS / IF EXISTS so the migration is
-- idempotent — safe to re-run on every certctl-server boot per the
-- the project's "Idempotent migrations" architecture decision.
--
-- Existing scaffolding REUSED (not redefined here):
-- - JobStatusAwaitingApproval enum value (internal/domain/job.go).
-- - JobRepository.ListTimedOutAwaitingJobs (postgres reaper query).
-- - Config.Scheduler.AwaitingApprovalTimeout (env-mapped, default
-- 168h via CERTCTL_JOB_AWAITING_APPROVAL_TIMEOUT).
--
-- The lifecycle states are pinned at the schema level via a CHECK
-- constraint matching internal/domain/approval.go::ApprovalState.
ALTER TABLE certificate_profiles
ADD COLUMN IF NOT EXISTS requires_approval BOOLEAN NOT NULL DEFAULT false;
CREATE TABLE IF NOT EXISTS issuance_approval_requests (
id TEXT PRIMARY KEY,
certificate_id TEXT NOT NULL REFERENCES managed_certificates(id) ON DELETE CASCADE,
job_id TEXT NOT NULL REFERENCES jobs(id) ON DELETE CASCADE,
profile_id TEXT NOT NULL REFERENCES certificate_profiles(id) ON DELETE RESTRICT,
requested_by TEXT NOT NULL,
state VARCHAR(20) NOT NULL DEFAULT 'pending',
decided_by TEXT,
decided_at TIMESTAMPTZ,
decision_note TEXT,
metadata JSONB NOT NULL DEFAULT '{}'::jsonb,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
CONSTRAINT approval_state_check CHECK (
state IN ('pending', 'approved', 'rejected', 'expired')
),
CONSTRAINT approval_decision_consistency CHECK (
(state = 'pending' AND decided_by IS NULL AND decided_at IS NULL)
OR (state IN ('approved', 'rejected', 'expired') AND decided_at IS NOT NULL)
)
);
-- Partial-unique index: at most one PENDING approval request per job
-- ID. Creates / re-creates idempotently. Terminal-state rows
-- (approved / rejected / expired) are not constrained — operators
-- can audit-trail multiple decisions over a job's lifetime, though
-- in practice each job creates exactly one ApprovalRequest at
-- AwaitingApproval entry and never recreates it.
CREATE UNIQUE INDEX IF NOT EXISTS idx_approval_pending_per_job
ON issuance_approval_requests(job_id)
WHERE state = 'pending';
CREATE INDEX IF NOT EXISTS idx_approval_state
ON issuance_approval_requests(state);
CREATE INDEX IF NOT EXISTS idx_approval_certificate
ON issuance_approval_requests(certificate_id);
CREATE INDEX IF NOT EXISTS idx_approval_pending_age
ON issuance_approval_requests(created_at)
WHERE state = 'pending';
Reference in New Issue View Git Blame Copy Permalink