db: integrate golang-migrate for schema migrations

- internal/db/migrations/: five embedded SQL files containing the migration SQL previously held as Go string literals. Files follow the NNN_description.up.sql naming convention required by golang-migrate's iofs source. - internal/db/migrate.go: rewritten to use github.com/golang-migrate/migrate/v4 with the database/sqlite driver (modernc.org/sqlite, pure Go) and source/iofs for compile-time embedded SQL. - newMigrate() opens a dedicated *sql.DB so m.Close() does not affect the caller's shared connection. - Migrate() includes a compatibility shim: reads the legacy schema_version table and calls m.Force(v) before m.Up() so existing databases are not re-migrated. - LatestSchemaVersion promoted from var to const. - internal/db/db.go: added path field to DB struct; Open() translates ':memory:' to a named shared-cache URI (file:mcias_N?mode=memory&cache=shared) so the migration runner can open a second connection to the same in-memory database without sharing the handle that golang-migrate will close on teardown. - go.mod: added golang-migrate/migrate/v4 v4.19.1 (direct). All callers unchanged. All tests pass; golangci-lint clean.
2026-03-12 11:52:39 -07:00
parent b2f2f04646
commit d7b69ed983
12 changed files with 399 additions and 264 deletions
--- a/internal/db/migrations/000001_initial_schema.up.sql
+++ b/internal/db/migrations/000001_initial_schema.up.sql
@@ -0,0 +1,92 @@
+CREATE TABLE IF NOT EXISTS schema_version (
+    version INTEGER NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS server_config (
+    id                  INTEGER PRIMARY KEY CHECK (id = 1),
+    signing_key_enc     BLOB,
+    signing_key_nonce   BLOB,
+    created_at          TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
+    updated_at          TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
+);
+
+CREATE TABLE IF NOT EXISTS accounts (
+    id                  INTEGER PRIMARY KEY,
+    uuid                TEXT    NOT NULL UNIQUE,
+    username            TEXT    NOT NULL UNIQUE COLLATE NOCASE,
+    account_type        TEXT    NOT NULL CHECK (account_type IN ('human','system')),
+    password_hash       TEXT,
+    status              TEXT    NOT NULL DEFAULT 'active'
+                                CHECK (status IN ('active','inactive','deleted')),
+    totp_required       INTEGER NOT NULL DEFAULT 0 CHECK (totp_required IN (0,1)),
+    totp_secret_enc     BLOB,
+    totp_secret_nonce   BLOB,
+    created_at          TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
+    updated_at          TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
+    deleted_at          TEXT
+);
+
+CREATE INDEX IF NOT EXISTS idx_accounts_username ON accounts (username);
+CREATE INDEX IF NOT EXISTS idx_accounts_uuid     ON accounts (uuid);
+CREATE INDEX IF NOT EXISTS idx_accounts_status   ON accounts (status);
+
+CREATE TABLE IF NOT EXISTS account_roles (
+    id          INTEGER PRIMARY KEY,
+    account_id  INTEGER NOT NULL REFERENCES accounts(id) ON DELETE CASCADE,
+    role        TEXT    NOT NULL,
+    granted_by  INTEGER REFERENCES accounts(id),
+    granted_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
+    UNIQUE (account_id, role)
+);
+
+CREATE INDEX IF NOT EXISTS idx_account_roles_account ON account_roles (account_id);
+
+CREATE TABLE IF NOT EXISTS token_revocation (
+    id            INTEGER PRIMARY KEY,
+    jti           TEXT    NOT NULL UNIQUE,
+    account_id    INTEGER NOT NULL REFERENCES accounts(id) ON DELETE CASCADE,
+    expires_at    TEXT    NOT NULL,
+    revoked_at    TEXT,
+    revoke_reason TEXT,
+    issued_at     TEXT    NOT NULL,
+    created_at    TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
+);
+
+CREATE INDEX IF NOT EXISTS idx_token_jti     ON token_revocation (jti);
+CREATE INDEX IF NOT EXISTS idx_token_account ON token_revocation (account_id);
+CREATE INDEX IF NOT EXISTS idx_token_expires ON token_revocation (expires_at);
+
+CREATE TABLE IF NOT EXISTS system_tokens (
+    id          INTEGER PRIMARY KEY,
+    account_id  INTEGER NOT NULL UNIQUE REFERENCES accounts(id) ON DELETE CASCADE,
+    jti         TEXT    NOT NULL UNIQUE,
+    expires_at  TEXT    NOT NULL,
+    created_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
+);
+
+CREATE TABLE IF NOT EXISTS pg_credentials (
+    id                  INTEGER PRIMARY KEY,
+    account_id          INTEGER NOT NULL UNIQUE REFERENCES accounts(id) ON DELETE CASCADE,
+    pg_host             TEXT    NOT NULL,
+    pg_port             INTEGER NOT NULL DEFAULT 5432,
+    pg_database         TEXT    NOT NULL,
+    pg_username         TEXT    NOT NULL,
+    pg_password_enc     BLOB    NOT NULL,
+    pg_password_nonce   BLOB    NOT NULL,
+    created_at          TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
+    updated_at          TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
+);
+
+CREATE TABLE IF NOT EXISTS audit_log (
+    id          INTEGER PRIMARY KEY,
+    event_time  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
+    event_type  TEXT    NOT NULL,
+    actor_id    INTEGER REFERENCES accounts(id),
+    target_id   INTEGER REFERENCES accounts(id),
+    ip_address  TEXT,
+    details     TEXT
+);
+
+CREATE INDEX IF NOT EXISTS idx_audit_time  ON audit_log (event_time);
+CREATE INDEX IF NOT EXISTS idx_audit_actor ON audit_log (actor_id);
+CREATE INDEX IF NOT EXISTS idx_audit_event ON audit_log (event_type);
--- a/internal/db/migrations/000002_master_key_salt.up.sql
+++ b/internal/db/migrations/000002_master_key_salt.up.sql
@@ -0,0 +1,4 @@
+-- Add master_key_salt to server_config for Argon2id KDF salt storage.
+-- The salt must be stable across restarts so the passphrase always yields the same key.
+-- We allow NULL signing_key_enc/nonce temporarily until the first signing key is generated.
+ALTER TABLE server_config ADD COLUMN master_key_salt BLOB;
--- a/internal/db/migrations/000003_failed_logins.up.sql
+++ b/internal/db/migrations/000003_failed_logins.up.sql
@@ -0,0 +1,8 @@
+-- Track per-account failed login attempts for lockout enforcement (F-08).
+-- One row per account; window_start resets when the window expires or on
+-- a successful login.  The DB layer enforces atomicity via UPDATE+INSERT.
+CREATE TABLE IF NOT EXISTS failed_logins (
+    account_id    INTEGER NOT NULL PRIMARY KEY REFERENCES accounts(id) ON DELETE CASCADE,
+    window_start  TEXT    NOT NULL,
+    attempt_count INTEGER NOT NULL DEFAULT 1
+);
--- a/internal/db/migrations/000004_tags_and_policy.up.sql
+++ b/internal/db/migrations/000004_tags_and_policy.up.sql
@@ -0,0 +1,26 @@
+-- Machine/service tags on accounts (many-to-many).
+-- Used by the policy engine to gate access by machine or service identity
+-- (e.g. env:production, svc:payments-api, machine:db-west-01).
+CREATE TABLE IF NOT EXISTS account_tags (
+    account_id  INTEGER NOT NULL REFERENCES accounts(id) ON DELETE CASCADE,
+    tag         TEXT    NOT NULL,
+    created_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
+    PRIMARY KEY (account_id, tag)
+);
+
+CREATE INDEX IF NOT EXISTS idx_account_tags_account ON account_tags (account_id);
+
+-- Policy rules stored in the database and evaluated in-process.
+-- rule_json holds a JSON-encoded policy.RuleBody (all match fields + effect).
+-- Built-in default rules are compiled into the binary and are not stored here.
+-- Rows with enabled=0 are loaded but skipped during evaluation.
+CREATE TABLE IF NOT EXISTS policy_rules (
+    id          INTEGER PRIMARY KEY,
+    priority    INTEGER NOT NULL DEFAULT 100,
+    description TEXT    NOT NULL,
+    rule_json   TEXT    NOT NULL,
+    enabled     INTEGER NOT NULL DEFAULT 1 CHECK (enabled IN (0,1)),
+    created_by  INTEGER REFERENCES accounts(id),
+    created_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
+    updated_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
+);
--- a/internal/db/migrations/000005_pgcred_access.up.sql
+++ b/internal/db/migrations/000005_pgcred_access.up.sql
@@ -0,0 +1,24 @@
+-- Track which accounts own each set of pg_credentials and which other
+-- accounts have been granted read access to them.
+--
+-- owner_id: the account that administers the credentials and may grant/revoke
+--           access.  Defaults to the system account itself.  This column is
+--           nullable so that rows created before migration 5 are not broken.
+ALTER TABLE pg_credentials ADD COLUMN owner_id INTEGER REFERENCES accounts(id);
+
+-- pg_credential_access records an explicit "all-or-nothing" read grant from
+-- the credential owner to another account.  Grantees may view connection
+-- metadata (host, port, database, username) but the password is never
+-- decrypted for them in the UI.  Only the owner may update or delete the
+-- credential set.
+CREATE TABLE IF NOT EXISTS pg_credential_access (
+    id              INTEGER PRIMARY KEY,
+    credential_id   INTEGER NOT NULL REFERENCES pg_credentials(id) ON DELETE CASCADE,
+    grantee_id      INTEGER NOT NULL REFERENCES accounts(id) ON DELETE CASCADE,
+    granted_by      INTEGER REFERENCES accounts(id),
+    granted_at      TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
+    UNIQUE (credential_id, grantee_id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_pgcred_access_cred    ON pg_credential_access (credential_id);
+CREATE INDEX IF NOT EXISTS idx_pgcred_access_grantee ON pg_credential_access (grantee_id);