Kyle Isom
22158824bd
- Self-service and admin password-change endpoints
(PUT /v1/auth/password, PUT /v1/accounts/{id}/password)
- Policy rule time-scoped expiry (not_before / expires_at)
with migration 000006 and engine filtering
- golang-migrate integration; embedded SQL migrations
- PolicyRecord fieldalignment lint fix
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
95 lines
2.8 KiB
Go
95 lines
2.8 KiB
Go
package policy
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"sync"
|
|
"time"
|
|
)
|
|
|
|
// Engine wraps the stateless Evaluate function with an in-memory cache of
|
|
// operator rules loaded from the database. Built-in default rules are always
|
|
// merged in at evaluation time; they do not appear in the cache.
|
|
//
|
|
// The Engine is safe for concurrent use. Call Reload() after any change to the
|
|
// policy_rules table to refresh the cached rule set without restarting.
|
|
type Engine struct {
|
|
rules []Rule
|
|
mu sync.RWMutex
|
|
}
|
|
|
|
// NewEngine creates an Engine with an initially empty operator rule set.
|
|
// Call Reload (or load rules directly) before use in production.
|
|
func NewEngine() *Engine {
|
|
return &Engine{}
|
|
}
|
|
|
|
// SetRules atomically replaces the cached operator rule set.
|
|
// records is a slice of PolicyRuleRecord values (from the database layer).
|
|
// Only enabled records are converted to Rule values.
|
|
//
|
|
// Security: rule_json is decoded into a RuleBody struct before being merged
|
|
// into a Rule. This prevents the database from injecting values into the ID or
|
|
// Description fields that are stored as dedicated columns.
|
|
func (e *Engine) SetRules(records []PolicyRecord) error {
|
|
now := time.Now()
|
|
rules := make([]Rule, 0, len(records))
|
|
for _, rec := range records {
|
|
if !rec.Enabled {
|
|
continue
|
|
}
|
|
// Skip rules outside their validity window.
|
|
if rec.NotBefore != nil && now.Before(*rec.NotBefore) {
|
|
continue
|
|
}
|
|
if rec.ExpiresAt != nil && now.After(*rec.ExpiresAt) {
|
|
continue
|
|
}
|
|
var body RuleBody
|
|
if err := json.Unmarshal([]byte(rec.RuleJSON), &body); err != nil {
|
|
return fmt.Errorf("policy: decode rule %d %q: %w", rec.ID, rec.Description, err)
|
|
}
|
|
rules = append(rules, Rule{
|
|
ID: rec.ID,
|
|
Description: rec.Description,
|
|
Priority: rec.Priority,
|
|
Roles: body.Roles,
|
|
AccountTypes: body.AccountTypes,
|
|
SubjectUUID: body.SubjectUUID,
|
|
Actions: body.Actions,
|
|
ResourceType: body.ResourceType,
|
|
OwnerMatchesSubject: body.OwnerMatchesSubject,
|
|
ServiceNames: body.ServiceNames,
|
|
RequiredTags: body.RequiredTags,
|
|
Effect: body.Effect,
|
|
})
|
|
}
|
|
|
|
e.mu.Lock()
|
|
e.rules = rules
|
|
e.mu.Unlock()
|
|
return nil
|
|
}
|
|
|
|
// Evaluate runs the policy engine against the given input using the cached
|
|
// operator rules plus compiled-in defaults.
|
|
func (e *Engine) Evaluate(input PolicyInput) (Effect, *Rule) {
|
|
e.mu.RLock()
|
|
rules := e.rules
|
|
e.mu.RUnlock()
|
|
return Evaluate(input, rules)
|
|
}
|
|
|
|
// PolicyRecord is the minimal interface the Engine needs from the DB layer.
|
|
// Using a local struct avoids importing the db or model packages from policy,
|
|
// which would create a dependency cycle.
|
|
type PolicyRecord struct {
|
|
NotBefore *time.Time
|
|
ExpiresAt *time.Time
|
|
Description string
|
|
RuleJSON string
|
|
ID int64
|
|
Priority int
|
|
Enabled bool
|
|
}
|