Checkpoint: password reset, rule expiry, migrations

- Self-service and admin password-change endpoints (PUT /v1/auth/password, PUT /v1/accounts/{id}/password) - Policy rule time-scoped expiry (not_before / expires_at) with migration 000006 and engine filtering - golang-migrate integration; embedded SQL migrations - PolicyRecord fieldalignment lint fix Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 14:38:38 -07:00
parent d7b69ed983
commit 22158824bd
25 changed files with 1574 additions and 137 deletions
--- a/internal/db/policy_test.go
+++ b/internal/db/policy_test.go
@@ -3,6 +3,7 @@ package db
 import (
 	"errors"
 	"testing"
+	"time"

 	"git.wntrmute.dev/kyle/mcias/internal/model"
 )
@@ -11,7 +12,7 @@ func TestCreateAndGetPolicyRule(t *testing.T) {
 	db := openTestDB(t)

 	ruleJSON := `{"actions":["pgcreds:read"],"resource_type":"pgcreds","effect":"allow"}`
-	rec, err := db.CreatePolicyRule("test rule", 50, ruleJSON, nil)
+	rec, err := db.CreatePolicyRule("test rule", 50, ruleJSON, nil, nil, nil)
 	if err != nil {
 		t.Fatalf("CreatePolicyRule: %v", err)
 	}
@@ -49,9 +50,9 @@ func TestGetPolicyRule_NotFound(t *testing.T) {
 func TestListPolicyRules(t *testing.T) {
 	db := openTestDB(t)

-	_, _ = db.CreatePolicyRule("rule A", 100, `{"effect":"allow"}`, nil)
-	_, _ = db.CreatePolicyRule("rule B", 50, `{"effect":"deny"}`, nil)
-	_, _ = db.CreatePolicyRule("rule C", 200, `{"effect":"allow"}`, nil)
+	_, _ = db.CreatePolicyRule("rule A", 100, `{"effect":"allow"}`, nil, nil, nil)
+	_, _ = db.CreatePolicyRule("rule B", 50, `{"effect":"deny"}`, nil, nil, nil)
+	_, _ = db.CreatePolicyRule("rule C", 200, `{"effect":"allow"}`, nil, nil, nil)

 	rules, err := db.ListPolicyRules(false)
 	if err != nil {
@@ -70,8 +71,8 @@ func TestListPolicyRules(t *testing.T) {
 func TestListPolicyRules_EnabledOnly(t *testing.T) {
 	db := openTestDB(t)

-	r1, _ := db.CreatePolicyRule("enabled rule", 100, `{"effect":"allow"}`, nil)
-	r2, _ := db.CreatePolicyRule("disabled rule", 100, `{"effect":"deny"}`, nil)
+	r1, _ := db.CreatePolicyRule("enabled rule", 100, `{"effect":"allow"}`, nil, nil, nil)
+	r2, _ := db.CreatePolicyRule("disabled rule", 100, `{"effect":"deny"}`, nil, nil, nil)

 	if err := db.SetPolicyRuleEnabled(r2.ID, false); err != nil {
 		t.Fatalf("SetPolicyRuleEnabled: %v", err)
@@ -100,11 +101,11 @@ func TestListPolicyRules_EnabledOnly(t *testing.T) {
 func TestUpdatePolicyRule(t *testing.T) {
 	db := openTestDB(t)

-	rec, _ := db.CreatePolicyRule("original", 100, `{"effect":"allow"}`, nil)
+	rec, _ := db.CreatePolicyRule("original", 100, `{"effect":"allow"}`, nil, nil, nil)

 	newDesc := "updated description"
 	newPriority := 25
-	if err := db.UpdatePolicyRule(rec.ID, &newDesc, &newPriority, nil); err != nil {
+	if err := db.UpdatePolicyRule(rec.ID, &newDesc, &newPriority, nil, nil, nil); err != nil {
 		t.Fatalf("UpdatePolicyRule: %v", err)
 	}

@@ -127,10 +128,10 @@ func TestUpdatePolicyRule(t *testing.T) {
 func TestUpdatePolicyRule_RuleJSON(t *testing.T) {
 	db := openTestDB(t)

-	rec, _ := db.CreatePolicyRule("rule", 100, `{"effect":"allow"}`, nil)
+	rec, _ := db.CreatePolicyRule("rule", 100, `{"effect":"allow"}`, nil, nil, nil)

 	newJSON := `{"effect":"deny","roles":["auditor"]}`
-	if err := db.UpdatePolicyRule(rec.ID, nil, nil, &newJSON); err != nil {
+	if err := db.UpdatePolicyRule(rec.ID, nil, nil, &newJSON, nil, nil); err != nil {
 		t.Fatalf("UpdatePolicyRule (json only): %v", err)
 	}

@@ -150,7 +151,7 @@ func TestUpdatePolicyRule_RuleJSON(t *testing.T) {
 func TestSetPolicyRuleEnabled(t *testing.T) {
 	db := openTestDB(t)

-	rec, _ := db.CreatePolicyRule("toggle rule", 100, `{"effect":"allow"}`, nil)
+	rec, _ := db.CreatePolicyRule("toggle rule", 100, `{"effect":"allow"}`, nil, nil, nil)
 	if !rec.Enabled {
 		t.Fatal("new rule should be enabled")
 	}
@@ -175,7 +176,7 @@ func TestSetPolicyRuleEnabled(t *testing.T) {
 func TestDeletePolicyRule(t *testing.T) {
 	db := openTestDB(t)

-	rec, _ := db.CreatePolicyRule("to delete", 100, `{"effect":"allow"}`, nil)
+	rec, _ := db.CreatePolicyRule("to delete", 100, `{"effect":"allow"}`, nil, nil, nil)

 	if err := db.DeletePolicyRule(rec.ID); err != nil {
 		t.Fatalf("DeletePolicyRule: %v", err)
@@ -200,7 +201,7 @@ func TestCreatePolicyRule_WithCreatedBy(t *testing.T) {
 	db := openTestDB(t)

 	acct, _ := db.CreateAccount("policy-creator", model.AccountTypeHuman, "hash")
-	rec, err := db.CreatePolicyRule("by user", 100, `{"effect":"allow"}`, &acct.ID)
+	rec, err := db.CreatePolicyRule("by user", 100, `{"effect":"allow"}`, &acct.ID, nil, nil)
 	if err != nil {
 		t.Fatalf("CreatePolicyRule with createdBy: %v", err)
 	}
@@ -210,3 +211,111 @@ func TestCreatePolicyRule_WithCreatedBy(t *testing.T) {
 		t.Errorf("expected CreatedBy=%d, got %v", acct.ID, got.CreatedBy)
 	}
 }
+
+func TestCreatePolicyRule_WithExpiresAt(t *testing.T) {
+	db := openTestDB(t)
+
+	exp := time.Date(2030, 6, 1, 0, 0, 0, 0, time.UTC)
+	rec, err := db.CreatePolicyRule("expiring rule", 100, `{"effect":"allow"}`, nil, nil, &exp)
+	if err != nil {
+		t.Fatalf("CreatePolicyRule with expiresAt: %v", err)
+	}
+
+	got, err := db.GetPolicyRule(rec.ID)
+	if err != nil {
+		t.Fatalf("GetPolicyRule: %v", err)
+	}
+	if got.ExpiresAt == nil {
+		t.Fatal("expected ExpiresAt to be set")
+	}
+	if !got.ExpiresAt.Equal(exp) {
+		t.Errorf("expected ExpiresAt=%v, got %v", exp, *got.ExpiresAt)
+	}
+	if got.NotBefore != nil {
+		t.Errorf("expected NotBefore=nil, got %v", *got.NotBefore)
+	}
+}
+
+func TestCreatePolicyRule_WithNotBefore(t *testing.T) {
+	db := openTestDB(t)
+
+	nb := time.Date(2030, 1, 1, 0, 0, 0, 0, time.UTC)
+	rec, err := db.CreatePolicyRule("scheduled rule", 100, `{"effect":"allow"}`, nil, &nb, nil)
+	if err != nil {
+		t.Fatalf("CreatePolicyRule with notBefore: %v", err)
+	}
+
+	got, err := db.GetPolicyRule(rec.ID)
+	if err != nil {
+		t.Fatalf("GetPolicyRule: %v", err)
+	}
+	if got.NotBefore == nil {
+		t.Fatal("expected NotBefore to be set")
+	}
+	if !got.NotBefore.Equal(nb) {
+		t.Errorf("expected NotBefore=%v, got %v", nb, *got.NotBefore)
+	}
+	if got.ExpiresAt != nil {
+		t.Errorf("expected ExpiresAt=nil, got %v", *got.ExpiresAt)
+	}
+}
+
+func TestCreatePolicyRule_WithBothTimes(t *testing.T) {
+	db := openTestDB(t)
+
+	nb := time.Date(2030, 1, 1, 0, 0, 0, 0, time.UTC)
+	exp := time.Date(2030, 6, 1, 0, 0, 0, 0, time.UTC)
+	rec, err := db.CreatePolicyRule("windowed rule", 100, `{"effect":"allow"}`, nil, &nb, &exp)
+	if err != nil {
+		t.Fatalf("CreatePolicyRule with both times: %v", err)
+	}
+
+	got, err := db.GetPolicyRule(rec.ID)
+	if err != nil {
+		t.Fatalf("GetPolicyRule: %v", err)
+	}
+	if got.NotBefore == nil || !got.NotBefore.Equal(nb) {
+		t.Errorf("NotBefore mismatch: got %v", got.NotBefore)
+	}
+	if got.ExpiresAt == nil || !got.ExpiresAt.Equal(exp) {
+		t.Errorf("ExpiresAt mismatch: got %v", got.ExpiresAt)
+	}
+}
+
+func TestUpdatePolicyRule_SetExpiresAt(t *testing.T) {
+	db := openTestDB(t)
+
+	rec, _ := db.CreatePolicyRule("no expiry", 100, `{"effect":"allow"}`, nil, nil, nil)
+
+	exp := time.Date(2030, 12, 31, 23, 59, 59, 0, time.UTC)
+	expPtr := &exp
+	if err := db.UpdatePolicyRule(rec.ID, nil, nil, nil, nil, &expPtr); err != nil {
+		t.Fatalf("UpdatePolicyRule (set expires_at): %v", err)
+	}
+
+	got, _ := db.GetPolicyRule(rec.ID)
+	if got.ExpiresAt == nil {
+		t.Fatal("expected ExpiresAt to be set after update")
+	}
+	if !got.ExpiresAt.Equal(exp) {
+		t.Errorf("expected ExpiresAt=%v, got %v", exp, *got.ExpiresAt)
+	}
+}
+
+func TestUpdatePolicyRule_ClearExpiresAt(t *testing.T) {
+	db := openTestDB(t)
+
+	exp := time.Date(2030, 6, 1, 0, 0, 0, 0, time.UTC)
+	rec, _ := db.CreatePolicyRule("will clear", 100, `{"effect":"allow"}`, nil, nil, &exp)
+
+	// Clear expires_at by passing non-nil outer, nil inner.
+	var nilTime *time.Time
+	if err := db.UpdatePolicyRule(rec.ID, nil, nil, nil, nil, &nilTime); err != nil {
+		t.Fatalf("UpdatePolicyRule (clear expires_at): %v", err)
+	}
+
+	got, _ := db.GetPolicyRule(rec.ID)
+	if got.ExpiresAt != nil {
+		t.Errorf("expected ExpiresAt=nil after clear, got %v", *got.ExpiresAt)
+	}
+}