gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 19:21:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
5ea45a19b9fe1c8075fc7019d3cfabf0071f7c0c
certctl/migrations/000035_sessions.up.sql
T
shankar0123 315e132981 auth-bundle-2 Phase 2a: SQL migrations (oidc_providers, sessions, users) 
Three new idempotent transactional migrations that materialize the
Phase 1 domain types into Postgres tables. Repository implementations
+ integration tests land as Phase 2b in the next commit.

migrations/000034_oidc_providers.up.sql:
  oidc_providers table with the full OIDCProvider field set
    (issuer_url + client_id + client_secret_encrypted v2 blob +
    redirect_uri + groups_claim_path + groups_claim_format +
    fetch_userinfo + scopes[] + allowed_email_domains[] +
    iat_window_seconds + jwks_cache_ttl_seconds + tenant_id).
  group_role_mappings table linking provider+group_name to role_id.
  Closed-enum CHECK on groups_claim_format ('string-array' or
    'json-path').
  Defense-in-depth bounds CHECKs on iat_window_seconds (1..600) and
    jwks_cache_ttl_seconds (>= 60); app-layer Validate() also
    enforces these.
  ON DELETE CASCADE on group_role_mappings.provider_id so deleting a
    provider cleans up its mappings.
  ON DELETE RESTRICT on group_role_mappings.role_id so an in-use role
    can't be silently dropped.

migrations/000035_sessions.up.sql:
  session_signing_keys table with key_material_encrypted v2 blob +
    retired_at nullable + the retired-after-created CHECK.
  Partial index on (tenant_id, created_at DESC) WHERE retired_at IS
    NULL backs the GetActive hot path.
  sessions table covers BOTH the post-login row (1h-idle/8h-absolute
    cookie lifecycle) AND the Phase 5 pre-login row (10-minute TTL,
    is_pre_login=true). csrf_token_hash holds the SHA-256 of the
    CSRF token plaintext (the plaintext lives in a separate
    JS-readable cookie, hashed here so a DB-read leak can't replay).
  Two CHECK constraints pin the expiry order (absolute > idle, idle >
    created); these match the Phase 1 domain Validate() pre-write
    invariants but enforce them at the DB layer too so direct SQL
    inserts can't silently land malformed rows.
  Partial indexes on actor_id (active sessions only), the active
    session lookup, the pre-login GC sweep (created_at), and the
    absolute-expired GC sweep (absolute_expires_at) cover the four
    hot paths Phase 4's service consumes.
  ON DELETE RESTRICT on sessions.signing_key_id so a signing key
    referenced by an active session can't be dropped (the retention
    window keeps retired keys valid; full purge waits until every
    session signed under that key has expired).

migrations/000036_users.up.sql:
  users table for federated-human identity (per-(provider, subject)
    tuple via UNIQUE constraint, not global - identity is per-IdP by
    design).
  webauthn_credentials JSONB DEFAULT '[]' reserved for v3 (Decision
    12); Bundle 2 always stores [].
  Email index for the GUI's "find user by email" surface (not unique
    because the same email can appear in multiple providers per the
    per-IdP identity model).
  ON DELETE RESTRICT on users.oidc_provider_id keeps Phase 3's "delete
    provider only when no users authenticated via it" rule enforced
    at the DB layer; the OIDCProviderRepository.Delete impl will
    translate SQLSTATE 23503 into a 409 sentinel.

All three migrations:
  Wrapped in BEGIN/COMMIT so partial-fail leaves no half-state.
  IF NOT EXISTS / IF EXISTS / ON CONFLICT DO NOTHING for idempotency
    (the certctl-server boot path applies every migration on every
    start per CLAUDE.md "Idempotent migrations" architecture rule).
  TIMESTAMPTZ for time columns (no TIMESTAMP WITHOUT TIME ZONE).
  TEXT primary keys with prefixes per CLAUDE.md "Architecture
    Decisions" (op- / grm- / sk- / ses- / u-).
  Multi-tenant ready: tenant_id column with DEFAULT 't-default' on
    every row, FK to tenants(id) ON DELETE CASCADE. Bundle 2 ships
    single-tenant; managed-service activation adds tenants without a
    schema migration.

Down migrations exist in lockstep, drop tables in FK-safe order
(group_role_mappings -> oidc_providers; sessions ->
session_signing_keys; users alone). Down-migrations are destructive;
docstrings call this out.

Verifications:
  Migration count: ls migrations/*.up.sql | wc -l = 36 (33 from
    Bundle 1 + 3 new).
  BEGIN/COMMIT pair counts: each new migration is 1:1.
  No Docker in this sandbox, so the migrations are not applied
    end-to-end here; CI's testcontainers harness runs them via
    postgres.RunMigrations on every push. Phase 2b's repository
    integration tests will exercise the schema against Postgres 16
    Alpine.
2026-05-10 04:08:06 +00:00

100 lines
4.5 KiB
PL/PgSQL
Raw Blame History

-- 000035_sessions.up.sql
-- Auth Bundle 2 / Phase 2: server-side session management. Two cookie
-- shapes share the `sessions` table:
--
-- 1. Post-login row: minted by SessionService.Create after a
-- successful OIDC callback or break-glass authenticate. Carries
-- the cookie HMAC-signed via the active session_signing_keys row.
-- Idle timeout 1h default, absolute timeout 8h default.
--
-- 2. Pre-login row: minted at /auth/oidc/login to hold OIDC state +
-- nonce + PKCE verifier across the IdP redirect. Same row shape,
-- `is_pre_login = true`, 10-minute absolute TTL, GC'd by the same
-- scheduler sweep as expired post-login sessions.
--
-- session_signing_keys holds the HMAC key material. Phase 4's
-- Service.RotateSigningKey mints new keys and retires old ones; the
-- retention window keeps retired keys valid for verification of
-- cookies signed under them so existing sessions don't immediately
-- fail.
--
-- All operations idempotent. Wrapped in a single transaction.
-- Multi-tenant ready (tenant_id on every row).
BEGIN;
-- Session signing keys. The "active" key is the most recently created
-- non-retired row; Phase 4's Service.GetActive returns it. Retired keys
-- (RetiredAt IS NOT NULL) stay in the table for the configurable
-- retention window so cookies signed under them still verify.
CREATE TABLE IF NOT EXISTS session_signing_keys (
id TEXT PRIMARY KEY, -- prefix `sk-`
tenant_id TEXT NOT NULL DEFAULT 't-default'
REFERENCES tenants(id) ON DELETE CASCADE,
key_material_encrypted BYTEA NOT NULL, -- v2 blob; never plaintext
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
retired_at TIMESTAMPTZ NULL,
CONSTRAINT session_signing_keys_retired_after_created
CHECK (retired_at IS NULL OR retired_at >= created_at)
);
-- Index on (tenant_id, retired_at IS NULL, created_at DESC) backs the
-- GetActive query: most-recently-created non-retired key per tenant.
CREATE INDEX IF NOT EXISTS idx_session_signing_keys_active
ON session_signing_keys (tenant_id, created_at DESC)
WHERE retired_at IS NULL;
-- Sessions table. Holds both post-login and pre-login rows; is_pre_login
-- discriminates. CSRFTokenHash is SHA-256 hex of the operator-facing
-- CSRF token (the plaintext lives in a separate JS-readable cookie so
-- the GUI can echo it into the X-CSRF-Token header).
CREATE TABLE IF NOT EXISTS sessions (
id TEXT PRIMARY KEY, -- prefix `ses-`
tenant_id TEXT NOT NULL DEFAULT 't-default'
REFERENCES tenants(id) ON DELETE CASCADE,
actor_id TEXT NOT NULL,
actor_type TEXT NOT NULL, -- matches domain.ActorType strings
signing_key_id TEXT NOT NULL REFERENCES session_signing_keys(id) ON DELETE RESTRICT,
is_pre_login BOOLEAN NOT NULL DEFAULT FALSE,
csrf_token_hash TEXT NOT NULL DEFAULT '', -- 64 lowercase hex chars when set; '' for pre-login rows
idle_expires_at TIMESTAMPTZ NOT NULL,
absolute_expires_at TIMESTAMPTZ NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
last_seen_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
ip_address TEXT NOT NULL DEFAULT '',
user_agent TEXT NOT NULL DEFAULT '',
revoked_at TIMESTAMPTZ NULL,
CONSTRAINT sessions_expiry_order
CHECK (absolute_expires_at > idle_expires_at),
CONSTRAINT sessions_idle_after_created
CHECK (idle_expires_at > created_at)
);
-- Index for "list sessions for me" hot path (Phase 5
-- GET /v1/auth/sessions) — actor_id is the WHERE clause.
CREATE INDEX IF NOT EXISTS idx_sessions_actor_id
ON sessions (actor_id, actor_type)
WHERE revoked_at IS NULL AND is_pre_login = FALSE;
-- Index for the active-session lookup (Phase 4 Validate hot path).
-- Partial index (revoked_at IS NULL) keeps it small; revoked sessions
-- are GC'd separately.
CREATE INDEX IF NOT EXISTS idx_sessions_active
ON sessions (id)
WHERE revoked_at IS NULL;
-- Index for the pre-login GC sweep: walk pre-login rows older than
-- the 10-minute TTL.
CREATE INDEX IF NOT EXISTS idx_sessions_pre_login_gc
ON sessions (created_at)
WHERE is_pre_login = TRUE;
-- Index for the absolute-expired GC sweep: walk rows past the absolute
-- expiry window.
CREATE INDEX IF NOT EXISTS idx_sessions_absolute_expires_at
ON sessions (absolute_expires_at);
COMMIT;
Reference in New Issue View Git Blame Copy Permalink