gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:01:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
21aeed4f4e46c08a3c53a202ace54fd642a9b85f
certctl/internal/repository/postgres/breakglass.go
T
shankar0123 21aeed4f4e legal: addlicense headers + normalize legacy variants (Phase 0 RED-4) 
Phase 0 closure (Path B2, post-rewrite):

addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1
SPDX header to every production Go file. Template:

  // Copyright 2026 certctl LLC. All rights reserved.
  // SPDX-License-Identifier: BUSL-1.1

Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding
*_test.go and **/testdata/**). Pre-sweep coverage was 22 / 338 (6.5%);
post-sweep is 338 / 338 (100%).

Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl`
+ `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a
`Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1`
is non-standard; the official SPDX identifier for Business Source
License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the
canonical form.

Generated via:
  addlicense -c "certctl LLC" -y 2026 \
    -f cowork/legal/copyright-header.tpl \
    -ignore '**/testdata/**' -ignore '**/*_test.go' \
    cmd/ internal/

Verification:
  find cmd internal -name '*.go' -not -name '*_test.go' \
    -not -path '*/testdata/*' \
    -exec grep -L '^// Copyright 2026 certctl LLC' {} \; | wc -l

  Returns: 0

gofmt clean. Header additions are comments only, no compile impact.

Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4
2026-05-13 21:23:35 +00:00

200 lines
6.5 KiB
Go
Raw Blame History

// Copyright 2026 certctl LLC. All rights reserved.
// SPDX-License-Identifier: BUSL-1.1
package postgres
import (
"context"
"database/sql"
"errors"
"fmt"
"github.com/lib/pq"
bgdomain "github.com/certctl-io/certctl/internal/auth/breakglass/domain"
"github.com/certctl-io/certctl/internal/repository"
)
// BreakglassCredentialRepository is the postgres implementation of
// repository.BreakglassCredentialRepository. Auth Bundle 2 Phase 7.5.
type BreakglassCredentialRepository struct {
db *sql.DB
}
// NewBreakglassCredentialRepository constructs a
// BreakglassCredentialRepository.
func NewBreakglassCredentialRepository(db *sql.DB) *BreakglassCredentialRepository {
return &BreakglassCredentialRepository{db: db}
}
const breakglassColumns = `id, tenant_id, actor_id, password_hash,
created_at, last_password_change_at, failure_count, locked_until,
last_failure_at`
func scanBreakglass(row interface{ Scan(...interface{}) error }) (*bgdomain.BreakglassCredential, error) {
var c bgdomain.BreakglassCredential
var lockedUntil, lastFailureAt sql.NullTime
if err := row.Scan(
&c.ID, &c.TenantID, &c.ActorID, &c.PasswordHash,
&c.CreatedAt, &c.LastPasswordChangeAt, &c.FailureCount,
&lockedUntil, &lastFailureAt,
); err != nil {
return nil, err
}
if lockedUntil.Valid {
c.LockedUntil = &lockedUntil.Time
}
if lastFailureAt.Valid {
c.LastFailureAt = &lastFailureAt.Time
}
return &c, nil
}
// Create persists a new credential row.
func (r *BreakglassCredentialRepository) Create(ctx context.Context, c *bgdomain.BreakglassCredential) error {
_, err := r.db.ExecContext(ctx, `
INSERT INTO breakglass_credentials (
id, tenant_id, actor_id, password_hash
) VALUES ($1,$2,$3,$4)`,
c.ID, c.TenantID, c.ActorID, c.PasswordHash)
if err != nil {
var pqErr *pq.Error
if errors.As(err, &pqErr) && pqErr.Code == "23505" {
return repository.ErrBreakglassDuplicate
}
return fmt.Errorf("breakglass create: %w", err)
}
return nil
}
// GetByActor returns the credential for the named actor.
func (r *BreakglassCredentialRepository) GetByActor(ctx context.Context, actorID, tenantID string) (*bgdomain.BreakglassCredential, error) {
row := r.db.QueryRowContext(ctx,
`SELECT `+breakglassColumns+` FROM breakglass_credentials WHERE actor_id = $1 AND tenant_id = $2`,
actorID, tenantID)
c, err := scanBreakglass(row)
if err != nil {
if errors.Is(err, sql.ErrNoRows) {
return nil, repository.ErrBreakglassNotFound
}
return nil, fmt.Errorf("breakglass get_by_actor: %w", err)
}
return c, nil
}
// UpdatePasswordHash rotates the password hash. Idempotent reset of
// failure_count + locked_until (a fresh password starts unlocked).
func (r *BreakglassCredentialRepository) UpdatePasswordHash(ctx context.Context, actorID, tenantID, newHash string) error {
res, err := r.db.ExecContext(ctx, `
UPDATE breakglass_credentials
SET password_hash = $3,
last_password_change_at = NOW(),
failure_count = 0,
locked_until = NULL,
last_failure_at = NULL
WHERE actor_id = $1 AND tenant_id = $2`,
actorID, tenantID, newHash)
if err != nil {
return fmt.Errorf("breakglass update_password_hash: %w", err)
}
n, _ := res.RowsAffected()
if n == 0 {
return repository.ErrBreakglassNotFound
}
return nil
}
// IncrementFailure atomically bumps failure_count + sets last_failure_at;
// when the new count >= threshold, sets locked_until = NOW() + duration.
// The whole transition is one UPDATE so concurrent racing wrong-password
// attempts can't observe an intermediate state.
//
// Returns the post-update row so the service can decide whether to
// surface ErrBreakglassLocked without a re-read.
func (r *BreakglassCredentialRepository) IncrementFailure(ctx context.Context, actorID, tenantID string, threshold int, lockoutDurationSec int) (*bgdomain.BreakglassCredential, error) {
row := r.db.QueryRowContext(ctx, `
UPDATE breakglass_credentials
SET failure_count = failure_count + 1,
last_failure_at = NOW(),
locked_until = CASE
WHEN failure_count + 1 >= $3 THEN NOW() + ($4 || ' seconds')::interval
ELSE locked_until
END
WHERE actor_id = $1 AND tenant_id = $2
RETURNING `+breakglassColumns,
actorID, tenantID, threshold, lockoutDurationSec)
c, err := scanBreakglass(row)
if err != nil {
if errors.Is(err, sql.ErrNoRows) {
return nil, repository.ErrBreakglassNotFound
}
return nil, fmt.Errorf("breakglass increment_failure: %w", err)
}
return c, nil
}
// ResetFailureCount clears failure_count + locked_until. Used on
// successful Authenticate AND on admin-initiated Unlock. Idempotent.
func (r *BreakglassCredentialRepository) ResetFailureCount(ctx context.Context, actorID, tenantID string) error {
res, err := r.db.ExecContext(ctx, `
UPDATE breakglass_credentials
SET failure_count = 0,
locked_until = NULL,
last_failure_at = NULL
WHERE actor_id = $1 AND tenant_id = $2`,
actorID, tenantID)
if err != nil {
return fmt.Errorf("breakglass reset_failure_count: %w", err)
}
n, _ := res.RowsAffected()
if n == 0 {
return repository.ErrBreakglassNotFound
}
return nil
}
// Delete removes a credential row.
func (r *BreakglassCredentialRepository) Delete(ctx context.Context, actorID, tenantID string) error {
res, err := r.db.ExecContext(ctx,
`DELETE FROM breakglass_credentials WHERE actor_id = $1 AND tenant_id = $2`,
actorID, tenantID)
if err != nil {
return fmt.Errorf("breakglass delete: %w", err)
}
n, _ := res.RowsAffected()
if n == 0 {
return repository.ErrBreakglassNotFound
}
return nil
}
// List returns every break-glass credential in the tenant. Audit
// 2026-05-10 CRIT-4 closure — backs the GUI admin page that lists
// credentialed actors. The password hash is read into the returned
// row (it's an internal type passed to the handler which strips it
// before serializing the JSON response).
func (r *BreakglassCredentialRepository) List(ctx context.Context, tenantID string) ([]*bgdomain.BreakglassCredential, error) {
rows, err := r.db.QueryContext(ctx,
`SELECT `+breakglassColumns+`
FROM breakglass_credentials
WHERE tenant_id = $1
ORDER BY created_at ASC`,
tenantID)
if err != nil {
return nil, fmt.Errorf("breakglass list: %w", err)
}
defer rows.Close()
var out []*bgdomain.BreakglassCredential
for rows.Next() {
c, err := scanBreakglass(rows)
if err != nil {
return nil, fmt.Errorf("breakglass list scan: %w", err)
}
out = append(out, c)
}
if err := rows.Err(); err != nil {
return nil, fmt.Errorf("breakglass list iter: %w", err)
}
return out, nil
}
Reference in New Issue View Git Blame Copy Permalink