mcias/internal/db/policy.go

package db

import (
	"database/sql"
	"errors"
	"fmt"

	"git.wntrmute.dev/kyle/mcias/internal/model"
)

// CreatePolicyRule inserts a new policy rule record. The returned record
// includes the database-assigned ID and timestamps.
func (db *DB) CreatePolicyRule(description string, priority int, ruleJSON string, createdBy *int64) (*model.PolicyRuleRecord, error) {
	n := now()
	result, err := db.sql.Exec(`
		INSERT INTO policy_rules (priority, description, rule_json, enabled, created_by, created_at, updated_at)
		VALUES (?, ?, ?, 1, ?, ?, ?)
	`, priority, description, ruleJSON, createdBy, n, n)
	if err != nil {
		return nil, fmt.Errorf("db: create policy rule: %w", err)
	}

	id, err := result.LastInsertId()
	if err != nil {
		return nil, fmt.Errorf("db: create policy rule last insert id: %w", err)
	}

	createdAt, err := parseTime(n)
	if err != nil {
		return nil, err
	}

	return &model.PolicyRuleRecord{
		ID:          id,
		Priority:    priority,
		Description: description,
		RuleJSON:    ruleJSON,
		Enabled:     true,
		CreatedBy:   createdBy,
		CreatedAt:   createdAt,
		UpdatedAt:   createdAt,
	}, nil
}

// GetPolicyRule retrieves a single policy rule by its database ID.
// Returns ErrNotFound if no such rule exists.
func (db *DB) GetPolicyRule(id int64) (*model.PolicyRuleRecord, error) {
	return db.scanPolicyRule(db.sql.QueryRow(`
		SELECT id, priority, description, rule_json, enabled, created_by, created_at, updated_at
		FROM policy_rules WHERE id = ?
	`, id))
}

// ListPolicyRules returns all policy rules ordered by priority then ID.
// When enabledOnly is true, only rules with enabled=1 are returned.
func (db *DB) ListPolicyRules(enabledOnly bool) ([]*model.PolicyRuleRecord, error) {
	query := `
		SELECT id, priority, description, rule_json, enabled, created_by, created_at, updated_at
		FROM policy_rules`
	if enabledOnly {
		query += ` WHERE enabled = 1`
	}
	query += ` ORDER BY priority ASC, id ASC`

	rows, err := db.sql.Query(query)
	if err != nil {
		return nil, fmt.Errorf("db: list policy rules: %w", err)
	}
	defer func() { _ = rows.Close() }()

	var rules []*model.PolicyRuleRecord
	for rows.Next() {
		r, err := db.scanPolicyRuleRow(rows)
		if err != nil {
			return nil, err
		}
		rules = append(rules, r)
	}
	return rules, rows.Err()
}

// UpdatePolicyRule updates the mutable fields of a policy rule.
// Only the fields in the update map are changed; other fields are untouched.
func (db *DB) UpdatePolicyRule(id int64, description *string, priority *int, ruleJSON *string) error {
	n := now()

	// Build SET clause dynamically to only update provided fields.
	// Security: field names are not user-supplied strings — they are selected
	// from a fixed set of known column names only.
	setClauses := "updated_at = ?"
	args := []interface{}{n}

	if description != nil {
		setClauses += ", description = ?"
		args = append(args, *description)
	}
	if priority != nil {
		setClauses += ", priority = ?"
		args = append(args, *priority)
	}
	if ruleJSON != nil {
		setClauses += ", rule_json = ?"
		args = append(args, *ruleJSON)
	}
	args = append(args, id)

	_, err := db.sql.Exec(`UPDATE policy_rules SET `+setClauses+` WHERE id = ?`, args...)
	if err != nil {
		return fmt.Errorf("db: update policy rule %d: %w", id, err)
	}
	return nil
}

// SetPolicyRuleEnabled enables or disables a policy rule by ID.
func (db *DB) SetPolicyRuleEnabled(id int64, enabled bool) error {
	enabledInt := 0
	if enabled {
		enabledInt = 1
	}
	_, err := db.sql.Exec(`
		UPDATE policy_rules SET enabled = ?, updated_at = ? WHERE id = ?
	`, enabledInt, now(), id)
	if err != nil {
		return fmt.Errorf("db: set policy rule %d enabled=%v: %w", id, enabled, err)
	}
	return nil
}

// DeletePolicyRule removes a policy rule by ID.
func (db *DB) DeletePolicyRule(id int64) error {
	_, err := db.sql.Exec(`DELETE FROM policy_rules WHERE id = ?`, id)
	if err != nil {
		return fmt.Errorf("db: delete policy rule %d: %w", id, err)
	}
	return nil
}

// scanPolicyRule scans a single policy rule from a *sql.Row.
func (db *DB) scanPolicyRule(row *sql.Row) (*model.PolicyRuleRecord, error) {
	var r model.PolicyRuleRecord
	var enabledInt int
	var createdAtStr, updatedAtStr string
	var createdBy *int64

	err := row.Scan(
		&r.ID, &r.Priority, &r.Description, &r.RuleJSON,
		&enabledInt, &createdBy, &createdAtStr, &updatedAtStr,
	)
	if errors.Is(err, sql.ErrNoRows) {
		return nil, ErrNotFound
	}
	if err != nil {
		return nil, fmt.Errorf("db: scan policy rule: %w", err)
	}

	return finishPolicyRuleScan(&r, enabledInt, createdBy, createdAtStr, updatedAtStr)
}

// scanPolicyRuleRow scans a single policy rule from *sql.Rows.
func (db *DB) scanPolicyRuleRow(rows *sql.Rows) (*model.PolicyRuleRecord, error) {
	var r model.PolicyRuleRecord
	var enabledInt int
	var createdAtStr, updatedAtStr string
	var createdBy *int64

	err := rows.Scan(
		&r.ID, &r.Priority, &r.Description, &r.RuleJSON,
		&enabledInt, &createdBy, &createdAtStr, &updatedAtStr,
	)
	if err != nil {
		return nil, fmt.Errorf("db: scan policy rule row: %w", err)
	}

	return finishPolicyRuleScan(&r, enabledInt, createdBy, createdAtStr, updatedAtStr)
}

func finishPolicyRuleScan(r *model.PolicyRuleRecord, enabledInt int, createdBy *int64, createdAtStr, updatedAtStr string) (*model.PolicyRuleRecord, error) {
	r.Enabled = enabledInt == 1
	r.CreatedBy = createdBy

	var err error
	r.CreatedAt, err = parseTime(createdAtStr)
	if err != nil {
		return nil, err
	}
	r.UpdatedAt, err = parseTime(updatedAtStr)
	if err != nil {
		return nil, err
	}
	return r, nil
}