Checkpoint: password reset, rule expiry, migrations
- Self-service and admin password-change endpoints
(PUT /v1/auth/password, PUT /v1/accounts/{id}/password)
- Policy rule time-scoped expiry (not_before / expires_at)
with migration 000006 and engine filtering
- golang-migrate integration; embedded SQL migrations
- PolicyRecord fieldalignment lint fix
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -4,18 +4,23 @@ import (
|
||||
"database/sql"
|
||||
"errors"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"git.wntrmute.dev/kyle/mcias/internal/model"
|
||||
)
|
||||
|
||||
// policyRuleCols is the column list for all policy rule SELECT queries.
|
||||
const policyRuleCols = `id, priority, description, rule_json, enabled, created_by, created_at, updated_at, not_before, expires_at`
|
||||
|
||||
// CreatePolicyRule inserts a new policy rule record. The returned record
|
||||
// includes the database-assigned ID and timestamps.
|
||||
func (db *DB) CreatePolicyRule(description string, priority int, ruleJSON string, createdBy *int64) (*model.PolicyRuleRecord, error) {
|
||||
// notBefore and expiresAt are optional; nil means no constraint.
|
||||
func (db *DB) CreatePolicyRule(description string, priority int, ruleJSON string, createdBy *int64, notBefore, expiresAt *time.Time) (*model.PolicyRuleRecord, error) {
|
||||
n := now()
|
||||
result, err := db.sql.Exec(`
|
||||
INSERT INTO policy_rules (priority, description, rule_json, enabled, created_by, created_at, updated_at)
|
||||
VALUES (?, ?, ?, 1, ?, ?, ?)
|
||||
`, priority, description, ruleJSON, createdBy, n, n)
|
||||
INSERT INTO policy_rules (priority, description, rule_json, enabled, created_by, created_at, updated_at, not_before, expires_at)
|
||||
VALUES (?, ?, ?, 1, ?, ?, ?, ?, ?)
|
||||
`, priority, description, ruleJSON, createdBy, n, n, formatNullableTime(notBefore), formatNullableTime(expiresAt))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("db: create policy rule: %w", err)
|
||||
}
|
||||
@@ -39,6 +44,8 @@ func (db *DB) CreatePolicyRule(description string, priority int, ruleJSON string
|
||||
CreatedBy: createdBy,
|
||||
CreatedAt: createdAt,
|
||||
UpdatedAt: createdAt,
|
||||
NotBefore: notBefore,
|
||||
ExpiresAt: expiresAt,
|
||||
}, nil
|
||||
}
|
||||
|
||||
@@ -46,7 +53,7 @@ func (db *DB) CreatePolicyRule(description string, priority int, ruleJSON string
|
||||
// Returns ErrNotFound if no such rule exists.
|
||||
func (db *DB) GetPolicyRule(id int64) (*model.PolicyRuleRecord, error) {
|
||||
return db.scanPolicyRule(db.sql.QueryRow(`
|
||||
SELECT id, priority, description, rule_json, enabled, created_by, created_at, updated_at
|
||||
SELECT `+policyRuleCols+`
|
||||
FROM policy_rules WHERE id = ?
|
||||
`, id))
|
||||
}
|
||||
@@ -55,7 +62,7 @@ func (db *DB) GetPolicyRule(id int64) (*model.PolicyRuleRecord, error) {
|
||||
// When enabledOnly is true, only rules with enabled=1 are returned.
|
||||
func (db *DB) ListPolicyRules(enabledOnly bool) ([]*model.PolicyRuleRecord, error) {
|
||||
query := `
|
||||
SELECT id, priority, description, rule_json, enabled, created_by, created_at, updated_at
|
||||
SELECT ` + policyRuleCols + `
|
||||
FROM policy_rules`
|
||||
if enabledOnly {
|
||||
query += ` WHERE enabled = 1`
|
||||
@@ -80,8 +87,12 @@ func (db *DB) ListPolicyRules(enabledOnly bool) ([]*model.PolicyRuleRecord, erro
|
||||
}
|
||||
|
||||
// UpdatePolicyRule updates the mutable fields of a policy rule.
|
||||
// Only the fields in the update map are changed; other fields are untouched.
|
||||
func (db *DB) UpdatePolicyRule(id int64, description *string, priority *int, ruleJSON *string) error {
|
||||
// Only non-nil fields are changed; nil fields are left untouched.
|
||||
// For notBefore and expiresAt, use a non-nil pointer-to-pointer:
|
||||
// - nil (outer) → don't change
|
||||
// - non-nil → nil → set column to NULL
|
||||
// - non-nil → non-nil → set column to the time value
|
||||
func (db *DB) UpdatePolicyRule(id int64, description *string, priority *int, ruleJSON *string, notBefore, expiresAt **time.Time) error {
|
||||
n := now()
|
||||
|
||||
// Build SET clause dynamically to only update provided fields.
|
||||
@@ -102,6 +113,14 @@ func (db *DB) UpdatePolicyRule(id int64, description *string, priority *int, rul
|
||||
setClauses += ", rule_json = ?"
|
||||
args = append(args, *ruleJSON)
|
||||
}
|
||||
if notBefore != nil {
|
||||
setClauses += ", not_before = ?"
|
||||
args = append(args, formatNullableTime(*notBefore))
|
||||
}
|
||||
if expiresAt != nil {
|
||||
setClauses += ", expires_at = ?"
|
||||
args = append(args, formatNullableTime(*expiresAt))
|
||||
}
|
||||
args = append(args, id)
|
||||
|
||||
_, err := db.sql.Exec(`UPDATE policy_rules SET `+setClauses+` WHERE id = ?`, args...)
|
||||
@@ -141,10 +160,12 @@ func (db *DB) scanPolicyRule(row *sql.Row) (*model.PolicyRuleRecord, error) {
|
||||
var enabledInt int
|
||||
var createdAtStr, updatedAtStr string
|
||||
var createdBy *int64
|
||||
var notBeforeStr, expiresAtStr *string
|
||||
|
||||
err := row.Scan(
|
||||
&r.ID, &r.Priority, &r.Description, &r.RuleJSON,
|
||||
&enabledInt, &createdBy, &createdAtStr, &updatedAtStr,
|
||||
¬BeforeStr, &expiresAtStr,
|
||||
)
|
||||
if errors.Is(err, sql.ErrNoRows) {
|
||||
return nil, ErrNotFound
|
||||
@@ -153,7 +174,7 @@ func (db *DB) scanPolicyRule(row *sql.Row) (*model.PolicyRuleRecord, error) {
|
||||
return nil, fmt.Errorf("db: scan policy rule: %w", err)
|
||||
}
|
||||
|
||||
return finishPolicyRuleScan(&r, enabledInt, createdBy, createdAtStr, updatedAtStr)
|
||||
return finishPolicyRuleScan(&r, enabledInt, createdBy, createdAtStr, updatedAtStr, notBeforeStr, expiresAtStr)
|
||||
}
|
||||
|
||||
// scanPolicyRuleRow scans a single policy rule from *sql.Rows.
|
||||
@@ -162,19 +183,21 @@ func (db *DB) scanPolicyRuleRow(rows *sql.Rows) (*model.PolicyRuleRecord, error)
|
||||
var enabledInt int
|
||||
var createdAtStr, updatedAtStr string
|
||||
var createdBy *int64
|
||||
var notBeforeStr, expiresAtStr *string
|
||||
|
||||
err := rows.Scan(
|
||||
&r.ID, &r.Priority, &r.Description, &r.RuleJSON,
|
||||
&enabledInt, &createdBy, &createdAtStr, &updatedAtStr,
|
||||
¬BeforeStr, &expiresAtStr,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("db: scan policy rule row: %w", err)
|
||||
}
|
||||
|
||||
return finishPolicyRuleScan(&r, enabledInt, createdBy, createdAtStr, updatedAtStr)
|
||||
return finishPolicyRuleScan(&r, enabledInt, createdBy, createdAtStr, updatedAtStr, notBeforeStr, expiresAtStr)
|
||||
}
|
||||
|
||||
func finishPolicyRuleScan(r *model.PolicyRuleRecord, enabledInt int, createdBy *int64, createdAtStr, updatedAtStr string) (*model.PolicyRuleRecord, error) {
|
||||
func finishPolicyRuleScan(r *model.PolicyRuleRecord, enabledInt int, createdBy *int64, createdAtStr, updatedAtStr string, notBeforeStr, expiresAtStr *string) (*model.PolicyRuleRecord, error) {
|
||||
r.Enabled = enabledInt == 1
|
||||
r.CreatedBy = createdBy
|
||||
|
||||
@@ -187,5 +210,23 @@ func finishPolicyRuleScan(r *model.PolicyRuleRecord, enabledInt int, createdBy *
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
r.NotBefore, err = nullableTime(notBeforeStr)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
r.ExpiresAt, err = nullableTime(expiresAtStr)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return r, nil
|
||||
}
|
||||
|
||||
// formatNullableTime converts a *time.Time to a *string suitable for SQLite.
|
||||
// Returns nil if the input is nil (stores NULL).
|
||||
func formatNullableTime(t *time.Time) *string {
|
||||
if t == nil {
|
||||
return nil
|
||||
}
|
||||
s := t.UTC().Format(time.RFC3339)
|
||||
return &s
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user