gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:01:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c029875196b6de6905c7caaa90618b3e77db7b8a
certctl/migrations/000034_oidc_providers.up.sql
T
shankar0123 315e132981 auth-bundle-2 Phase 2a: SQL migrations (oidc_providers, sessions, users) 
Three new idempotent transactional migrations that materialize the
Phase 1 domain types into Postgres tables. Repository implementations
+ integration tests land as Phase 2b in the next commit.

migrations/000034_oidc_providers.up.sql:
  oidc_providers table with the full OIDCProvider field set
    (issuer_url + client_id + client_secret_encrypted v2 blob +
    redirect_uri + groups_claim_path + groups_claim_format +
    fetch_userinfo + scopes[] + allowed_email_domains[] +
    iat_window_seconds + jwks_cache_ttl_seconds + tenant_id).
  group_role_mappings table linking provider+group_name to role_id.
  Closed-enum CHECK on groups_claim_format ('string-array' or
    'json-path').
  Defense-in-depth bounds CHECKs on iat_window_seconds (1..600) and
    jwks_cache_ttl_seconds (>= 60); app-layer Validate() also
    enforces these.
  ON DELETE CASCADE on group_role_mappings.provider_id so deleting a
    provider cleans up its mappings.
  ON DELETE RESTRICT on group_role_mappings.role_id so an in-use role
    can't be silently dropped.

migrations/000035_sessions.up.sql:
  session_signing_keys table with key_material_encrypted v2 blob +
    retired_at nullable + the retired-after-created CHECK.
  Partial index on (tenant_id, created_at DESC) WHERE retired_at IS
    NULL backs the GetActive hot path.
  sessions table covers BOTH the post-login row (1h-idle/8h-absolute
    cookie lifecycle) AND the Phase 5 pre-login row (10-minute TTL,
    is_pre_login=true). csrf_token_hash holds the SHA-256 of the
    CSRF token plaintext (the plaintext lives in a separate
    JS-readable cookie, hashed here so a DB-read leak can't replay).
  Two CHECK constraints pin the expiry order (absolute > idle, idle >
    created); these match the Phase 1 domain Validate() pre-write
    invariants but enforce them at the DB layer too so direct SQL
    inserts can't silently land malformed rows.
  Partial indexes on actor_id (active sessions only), the active
    session lookup, the pre-login GC sweep (created_at), and the
    absolute-expired GC sweep (absolute_expires_at) cover the four
    hot paths Phase 4's service consumes.
  ON DELETE RESTRICT on sessions.signing_key_id so a signing key
    referenced by an active session can't be dropped (the retention
    window keeps retired keys valid; full purge waits until every
    session signed under that key has expired).

migrations/000036_users.up.sql:
  users table for federated-human identity (per-(provider, subject)
    tuple via UNIQUE constraint, not global - identity is per-IdP by
    design).
  webauthn_credentials JSONB DEFAULT '[]' reserved for v3 (Decision
    12); Bundle 2 always stores [].
  Email index for the GUI's "find user by email" surface (not unique
    because the same email can appear in multiple providers per the
    per-IdP identity model).
  ON DELETE RESTRICT on users.oidc_provider_id keeps Phase 3's "delete
    provider only when no users authenticated via it" rule enforced
    at the DB layer; the OIDCProviderRepository.Delete impl will
    translate SQLSTATE 23503 into a 409 sentinel.

All three migrations:
  Wrapped in BEGIN/COMMIT so partial-fail leaves no half-state.
  IF NOT EXISTS / IF EXISTS / ON CONFLICT DO NOTHING for idempotency
    (the certctl-server boot path applies every migration on every
    start per CLAUDE.md "Idempotent migrations" architecture rule).
  TIMESTAMPTZ for time columns (no TIMESTAMP WITHOUT TIME ZONE).
  TEXT primary keys with prefixes per CLAUDE.md "Architecture
    Decisions" (op- / grm- / sk- / ses- / u-).
  Multi-tenant ready: tenant_id column with DEFAULT 't-default' on
    every row, FK to tenants(id) ON DELETE CASCADE. Bundle 2 ships
    single-tenant; managed-service activation adds tenants without a
    schema migration.

Down migrations exist in lockstep, drop tables in FK-safe order
(group_role_mappings -> oidc_providers; sessions ->
session_signing_keys; users alone). Down-migrations are destructive;
docstrings call this out.

Verifications:
  Migration count: ls migrations/*.up.sql | wc -l = 36 (33 from
    Bundle 1 + 3 new).
  BEGIN/COMMIT pair counts: each new migration is 1:1.
  No Docker in this sandbox, so the migrations are not applied
    end-to-end here; CI's testcontainers harness runs them via
    postgres.RunMigrations on every push. Phase 2b's repository
    integration tests will exercise the schema against Postgres 16
    Alpine.
2026-05-10 04:08:06 +00:00

94 lines
4.7 KiB
PL/PgSQL
Raw Blame History

-- 000034_oidc_providers.up.sql
-- Auth Bundle 2 / Phase 2: OIDC provider configuration + group→role
-- mapping tables. Backs internal/auth/oidc/domain/{OIDCProvider,
-- GroupRoleMapping}. Phase 3 (OIDC service) reads these rows to
-- validate ID tokens against the configured IdP allow-list.
--
-- All operations use IF NOT EXISTS / IF EXISTS / ON CONFLICT DO NOTHING
-- so the migration is idempotent: safe to re-run on every
-- certctl-server boot per the project's "Idempotent migrations"
-- architecture decision. Wrapped in a single transaction so a
-- partial-fail leaves no half-state.
--
-- Schema convention follows CLAUDE.md "Architecture Decisions": TEXT
-- primary keys with prefixes (`op-`, `grm-`), TIMESTAMPTZ for time
-- columns, FK cascade behaviour explicit (group_role_mappings cascades
-- on provider deletion).
--
-- Multi-tenant readiness: every row carries tenant_id with
-- DEFAULT 't-default'. Bundle 2 ships single-tenant; the future
-- managed-service multi-tenant offering activates by inserting
-- additional tenants without a schema migration.
--
-- client_secret_encrypted holds the v2 blob produced by
-- `internal/crypto/encryption.go` (magic byte 0x02 || salt(16) ||
-- nonce(12) || ciphertext+tag). Plaintext NEVER lives in the DB.
BEGIN;
-- OIDC providers: operator-configured IdP records. One row per IdP.
-- N providers supported from day one for the future managed-service
-- offering where a multi-team customer may have multiple IdPs.
CREATE TABLE IF NOT EXISTS oidc_providers (
id TEXT PRIMARY KEY, -- prefix `op-`
tenant_id TEXT NOT NULL DEFAULT 't-default'
REFERENCES tenants(id) ON DELETE CASCADE,
name TEXT NOT NULL,
issuer_url TEXT NOT NULL, -- must be https:// (validated at app layer)
client_id TEXT NOT NULL,
client_secret_encrypted BYTEA NOT NULL, -- v2 blob; never plaintext
redirect_uri TEXT NOT NULL, -- must be https:// (validated at app layer)
groups_claim_path TEXT NOT NULL DEFAULT 'groups',
groups_claim_format TEXT NOT NULL DEFAULT 'string-array',
fetch_userinfo BOOLEAN NOT NULL DEFAULT FALSE,
scopes TEXT[] NOT NULL DEFAULT ARRAY['openid','profile','email'],
allowed_email_domains TEXT[] NOT NULL DEFAULT ARRAY[]::TEXT[],
iat_window_seconds INTEGER NOT NULL DEFAULT 300, -- min 1, max 600 enforced at app layer
jwks_cache_ttl_seconds INTEGER NOT NULL DEFAULT 3600, -- min 60 enforced at app layer
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
UNIQUE (tenant_id, name),
-- Closed enum for groups_claim_format. Phase 3's resolver
-- dispatches on this column.
CONSTRAINT oidc_providers_claim_format_check
CHECK (groups_claim_format IN ('string-array', 'json-path')),
-- Defense-in-depth: app-layer Validate() also enforces these.
CONSTRAINT oidc_providers_iat_window_bounds
CHECK (iat_window_seconds > 0 AND iat_window_seconds <= 600),
CONSTRAINT oidc_providers_jwks_ttl_bounds
CHECK (jwks_cache_ttl_seconds >= 60)
);
-- Group→role mappings: one row per (provider, group_name, role) tuple.
-- ON DELETE CASCADE on provider so deleting a provider cleans up its
-- mappings. Name-based per the forward-compat seam: if the IdP renames
-- a group, the operator updates the mapping. We don't depend on
-- IdP-internal identifiers (which differ per IdP and resist
-- documentation).
CREATE TABLE IF NOT EXISTS group_role_mappings (
id TEXT PRIMARY KEY, -- prefix `grm-`
tenant_id TEXT NOT NULL DEFAULT 't-default'
REFERENCES tenants(id) ON DELETE CASCADE,
provider_id TEXT NOT NULL REFERENCES oidc_providers(id) ON DELETE CASCADE,
group_name TEXT NOT NULL,
role_id TEXT NOT NULL REFERENCES roles(id) ON DELETE RESTRICT,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-- One mapping per (provider, group_name, role_id) tuple. An
-- operator can map one group to multiple roles by inserting
-- multiple rows with different role_ids; the unique constraint
-- prevents accidental duplicates.
UNIQUE (provider_id, group_name, role_id)
);
-- Indexes for the hot paths Phase 3's service consumes:
-- ListByProvider walks all mappings for a given provider; Map(group_names)
-- reads the same rows then filters in-memory.
CREATE INDEX IF NOT EXISTS idx_group_role_mappings_provider_id
ON group_role_mappings (provider_id);
COMMIT;
Reference in New Issue View Git Blame Copy Permalink