gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-09 04:08:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
757e2ec30cee2d9b30fe3c086ea5cc2bb179c298
certctl/internal/repository/oidc.go
T
shankar0123 b37cd6991b auth-bundle-2 Phase 2b: repository interfaces + Postgres impls + integration tests 
Closes Phase 2 end-to-end. Builds on Phase 2a's three migrations
(000034 oidc_providers + group_role_mappings, 000035 sessions +
session_signing_keys, 000036 users) by shipping the repository surface
Phase 3+ services consume.

Interfaces:
* internal/repository/oidc.go - OIDCProviderRepository (List, Get,
  GetByName, Create, Update, Delete) + GroupRoleMappingRepository
  (ListByProvider, Get, Add, Remove, Map). Sentinels:
  ErrOIDCProviderNotFound, ErrOIDCProviderDuplicateName,
  ErrOIDCProviderInUse (FK ON DELETE RESTRICT translation),
  ErrGroupRoleMappingNotFound, ErrGroupRoleMappingDuplicate.
* internal/repository/session.go - SessionRepository (Create, Get,
  ListByActor, UpdateLastSeen, Revoke, RevokeAllForActor,
  GarbageCollectExpired, Delete) + SessionSigningKeyRepository (List,
  GetActive, Get, Add, Retire, Delete). Sentinels: ErrSessionNotFound,
  ErrSessionRevoked, ErrSessionExpired, ErrSessionSigningKeyNotFound,
  ErrSessionSigningKeyInUse.
* internal/repository/user.go - UserRepository (Get, GetByOIDCSubject,
  Create, Update, ListAll). Sentinels: ErrUserNotFound,
  ErrUserDuplicateOIDCSubject.

Postgres implementations:
* internal/repository/postgres/oidc.go - 309 lines. Translates
  SQLSTATE 23505 (unique_violation) to ErrOIDCProviderDuplicateName /
  ErrGroupRoleMappingDuplicate; SQLSTATE 23503 (foreign_key_violation)
  to ErrOIDCProviderInUse so the Phase 5 handler maps to HTTP 409
  when an operator tries to delete a provider with authenticated
  users. pq.StringArray bridges Go []string to Postgres TEXT[] for
  scopes + allowed_email_domains. Map() uses
  `WHERE group_name = ANY($2)` so a single SELECT resolves N IdP
  group claims at once.
* internal/repository/postgres/session.go - 350 lines. Both Session +
  SessionSigningKey repos. Revoke + Retire are idempotent (re-revoking
  an already-revoked session returns nil; same for retire). The
  GarbageCollectExpired sweep deletes both
  absolute-expiry-passed sessions AND pre-login rows older than the
  10-minute TTL in one DELETE so the scheduler tick is cheap.
  ErrSessionSigningKeyInUse pinned via SQLSTATE 23503 from the
  sessions.signing_key_id FK ON DELETE RESTRICT.
* internal/repository/postgres/user.go - 137 lines. GetByOIDCSubject
  is the Phase 3 hot-path lookup; the (oidc_provider_id,
  oidc_subject) UNIQUE constraint trip translates to
  ErrUserDuplicateOIDCSubject. Update only writes the mutable field
  set (email, display_name, last_login_at, webauthn_credentials);
  oidc_subject + oidc_provider_id are immutable per the
  per-(provider, subject) identity model.

Integration tests (testing.Short()-gated, testcontainers + Postgres
16 Alpine, schema-per-test isolation via getTestDB().freshSchema):

* oidc_test.go: 11 tests covering happy-path + GetNotFound +
  DuplicateName + List + Update + DeleteNotFound + DeleteSucceeds +
  DeleteRefusedWhenUsersReference (the FK ON DELETE RESTRICT pin);
  GroupRoleMapping coverage includes Add/List/Map (3 cases:
  marketing-not-mapped, multi-group hits, empty groups returns
  empty), Duplicate rejection, and the ON DELETE CASCADE on
  provider deletion.
* session_test.go: 12 tests covering SessionSigningKey + Session.
  Key tests: GetActiveSkipsRetired (mints older, retires it, mints
  newer, asserts GetActive returns newer), DeleteRefusedWhenSessions-
  Reference (FK pin), RetireIsIdempotent. Session tests:
  CreateAndGet roundtrip, GetNotFound, Revoke + idempotent re-Revoke,
  ListByActor (3 active + 1 revoked + 1 pre-login -> returns 3,
  pinning the WHERE filter), RevokeAllForActor, GarbageCollectExpired
  (seeds an absolute-expired row + pre-login >10min row + active
  session via raw SQL to bypass CHECK constraints, asserts GC kills
  exactly 2 + active survives), UpdateLastSeen.
* user_test.go: 7 tests covering CreateAndGet, GetNotFound,
  GetByOIDCSubject (hit + miss), DuplicateOIDCSubjectRejected,
  UpdateMutableFields (asserts oidc_subject NOT mutated by Update),
  ListAll, FKRestrictsProviderDelete (mirror of the OIDC test from
  the user side - both ends of the FK contract pinned).

Verifications:
* gofmt -l clean across all 9 new files.
* go vet ./internal/repository/postgres/ rc=0.
* go test -short -count=1 green on internal/repository/postgres/ +
  internal/auth/... + Bundle 1 packages (testing.Short() skips the
  testcontainers integration tests, but the test files compile + the
  short-mode skip path is exercised so the suite is wired correctly).
* Full integration tests run in CI's non-short job against Postgres
  16 Alpine via testcontainers-go.
* govulncheck ./... clean.
* All 24 ci-guards pass.

Phase 2 exit criteria from cowork/auth-bundle-2-prompt.md (all met):
* All three Phase-2 migrations apply cleanly, idempotently: yes
  (Phase 2a). Break-glass migration ships separately in Phase 7.5.
* Repository tests pass against Postgres 16 Alpine: integration
  tests written, gated by testing.Short(), structured to run cleanly
  in CI's non-short job.
* make verify equivalent green: gofmt + vet + go test pass;
  golangci-lint deferred to CI per Phase 0/1's same pattern.
2026-05-10 04:18:27 +00:00

95 lines
4.2 KiB
Go
Raw Blame History

package repository
import (
"context"
"errors"
oidcdomain "github.com/certctl-io/certctl/internal/auth/oidc/domain"
)
// Sentinel errors for the OIDC repositories. Postgres implementations
// translate SQLSTATE codes into these so handler / service code can
// branch via errors.Is.
var (
// ErrOIDCProviderNotFound: Get / GetByName returned no row. HTTP 404.
ErrOIDCProviderNotFound = errors.New("oidc: provider not found")
// ErrOIDCProviderDuplicateName: Create tripped the (tenant_id, name)
// UNIQUE constraint. HTTP 409.
ErrOIDCProviderDuplicateName = errors.New("oidc: provider with this name already exists in tenant")
// ErrOIDCProviderInUse: Delete failed because at least one users row
// references the provider via oidc_provider_id (FK ON DELETE
// RESTRICT). HTTP 409.
ErrOIDCProviderInUse = errors.New("oidc: provider has authenticated users; revoke all sessions before delete")
// ErrGroupRoleMappingNotFound: Get returned no row. HTTP 404.
ErrGroupRoleMappingNotFound = errors.New("oidc: group-role mapping not found")
// ErrGroupRoleMappingDuplicate: Add tripped the
// (provider_id, group_name, role_id) UNIQUE constraint. HTTP 409.
ErrGroupRoleMappingDuplicate = errors.New("oidc: group-role mapping already exists")
)
// OIDCProviderRepository wraps the oidc_providers table. Phase 3's
// OIDCService consumes List + Get to look up the IdP for token
// validation; the GUI / CLI wire Create / Update / Delete behind
// auth.oidc.* permission gates per Phase 5.
type OIDCProviderRepository interface {
// List returns every configured provider in the tenant. Order:
// created_at ASC for stable GUI rendering.
List(ctx context.Context, tenantID string) ([]*oidcdomain.OIDCProvider, error)
// Get returns one provider by id. ErrOIDCProviderNotFound on miss.
Get(ctx context.Context, id string) (*oidcdomain.OIDCProvider, error)
// GetByName returns one provider by (tenant_id, name).
// ErrOIDCProviderNotFound on miss.
GetByName(ctx context.Context, tenantID, name string) (*oidcdomain.OIDCProvider, error)
// Create persists a new provider. Caller MUST have already called
// p.Validate() and encrypted the client_secret_encrypted byte
// stream via internal/crypto/encryption.go. Returns
// ErrOIDCProviderDuplicateName when the (tenant_id, name) UNIQUE
// constraint fires.
Create(ctx context.Context, p *oidcdomain.OIDCProvider) error
// Update writes the full mutable field set back to the row.
// Immutable fields (id, tenant_id, created_at) are read-only;
// updated_at is set to NOW() by the implementation.
Update(ctx context.Context, p *oidcdomain.OIDCProvider) error
// Delete removes a provider by id. Returns ErrOIDCProviderInUse
// when at least one users row references this provider (FK ON
// DELETE RESTRICT). Phase 5's handler maps to HTTP 409.
Delete(ctx context.Context, id string) error
}
// GroupRoleMappingRepository wraps the group_role_mappings table.
// Phase 3's OIDCService.HandleCallback uses Map() to translate IdP
// group claims into role IDs; the GUI / CLI wire ListByProvider /
// Add / Remove for operator configuration.
type GroupRoleMappingRepository interface {
// ListByProvider returns every mapping for the named provider.
// Order: group_name ASC for stable GUI rendering.
ListByProvider(ctx context.Context, providerID string) ([]*oidcdomain.GroupRoleMapping, error)
// Get returns one mapping by id. ErrGroupRoleMappingNotFound on miss.
Get(ctx context.Context, id string) (*oidcdomain.GroupRoleMapping, error)
// Add persists a new mapping. Caller MUST have called m.Validate().
// Returns ErrGroupRoleMappingDuplicate when the
// (provider_id, group_name, role_id) UNIQUE constraint fires.
Add(ctx context.Context, m *oidcdomain.GroupRoleMapping) error
// Remove deletes a mapping by id.
Remove(ctx context.Context, id string) error
// Map resolves an IdP-supplied list of group names against the
// provider's mappings. Returns the deduplicated set of role IDs
// the user should hold. Empty result means the user matches no
// mapping (Phase 3 fail-closed: no session minted, audit row
// `auth.oidc_login_unmapped_groups`).
Map(ctx context.Context, providerID string, groupNames []string) ([]string, error)
}
Reference in New Issue View Git Blame Copy Permalink