postgres

package
v0.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 31, 2026 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Overview

Package postgres implements store.Store using PostgreSQL via pgx/v5.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Migrate

func Migrate(dsn string, tlsCfg *tls.Config) error

Migrate connects with the admin DSN and runs all pending schema migrations. Call once at startup before opening the runtime connection via Open. tlsCfg may be nil; when non-nil it enables client certificate auth (mTLS).

Types

type DB

type DB struct {
	// contains filtered or unexported fields
}

DB wraps sql.DB and implements store.Store for PostgreSQL.

func OpenWithTLS

func OpenWithTLS(dsn string, tlsCfg *tls.Config) (*DB, error)

OpenWithTLS connects using a custom TLS config, enabling client certificate authentication when tlsCfg is non-nil. Pass nil for a plain (DSN-only) connection. Call Migrate first.

func (*DB) AddAWSRevokedUser added in v0.2.0

func (s *DB) AddAWSRevokedUser(ctx context.Context, roleID uuid.UUID, subUUID string) error

AddAWSRevokedUser is idempotent: re-adding an already-revoked (role,user) pair updates revoked_at to "now" so the reaper window starts fresh. Useful when a user is re-deactivated after being reactivated mid-window.

func (*DB) AddGroupMember

func (s *DB) AddGroupMember(ctx context.Context, groupID, userID uuid.UUID) error

func (*DB) Close

func (s *DB) Close() error

func (*DB) CountUsers

func (s *DB) CountUsers(ctx context.Context) (int, error)

func (*DB) CreateAWSAccount added in v0.2.0

func (s *DB) CreateAWSAccount(ctx context.Context, a *model.AWSAccount) error

func (*DB) CreateAWSRole added in v0.2.0

func (s *DB) CreateAWSRole(ctx context.Context, r *model.AWSRole) error

func (*DB) CreateAWSRoleAssignment added in v0.2.0

func (s *DB) CreateAWSRoleAssignment(ctx context.Context, a *model.AWSRoleAssignment) error

func (*DB) CreateClient

func (s *DB) CreateClient(ctx context.Context, clientID, clientSecretHash, name string, redirectURIs, scopes []string, public bool, backchannelLogoutURI *string) (*model.Client, error)

func (*DB) CreateDeviceGrant added in v0.3.0

func (s *DB) CreateDeviceGrant(ctx context.Context, g *model.DeviceGrant) error

func (*DB) CreateGrant

func (s *DB) CreateGrant(ctx context.Context, g *model.Grant) error

func (*DB) CreateGroup

func (s *DB) CreateGroup(ctx context.Context, displayName string) (*model.SCIMGroup, error)

func (*DB) CreateIntegration

func (s *DB) CreateIntegration(ctx context.Context, i *model.AppIntegration) error

func (*DB) CreateSession

func (s *DB) CreateSession(ctx context.Context, sess *model.Session) error

func (*DB) CreateSigningKey

func (s *DB) CreateSigningKey(ctx context.Context, k *model.SigningKey) error

func (*DB) CreateTOTPCredential

func (s *DB) CreateTOTPCredential(ctx context.Context, c *model.TOTPCredential) error

func (*DB) CreateUser

func (s *DB) CreateUser(ctx context.Context, email, passwordHash, name string) (*model.User, error)

func (*DB) CreateWebAuthnCredential

func (s *DB) CreateWebAuthnCredential(ctx context.Context, c *model.WebAuthnCredential) error

func (*DB) CreateWebAuthnSession

func (s *DB) CreateWebAuthnSession(ctx context.Context, userID uuid.UUID, data []byte, purpose string) (uuid.UUID, error)

func (*DB) DeactivateSigningKey

func (s *DB) DeactivateSigningKey(ctx context.Context, id uuid.UUID) error

func (*DB) DeleteAWSAccount added in v0.2.0

func (s *DB) DeleteAWSAccount(ctx context.Context, id uuid.UUID) error

func (*DB) DeleteAWSRevokedUser added in v0.2.0

func (s *DB) DeleteAWSRevokedUser(ctx context.Context, roleID uuid.UUID, subUUID string) error

func (*DB) DeleteAWSRole added in v0.2.0

func (s *DB) DeleteAWSRole(ctx context.Context, id uuid.UUID) error

func (*DB) DeleteAWSRoleAssignment added in v0.2.0

func (s *DB) DeleteAWSRoleAssignment(ctx context.Context, id uuid.UUID) error

func (*DB) DeleteClient

func (s *DB) DeleteClient(ctx context.Context, id uuid.UUID) error

func (*DB) DeleteExpiredDeviceGrants added in v0.3.0

func (s *DB) DeleteExpiredDeviceGrants(ctx context.Context) (int, error)

func (*DB) DeleteExpiredGrants

func (s *DB) DeleteExpiredGrants(ctx context.Context) error

func (*DB) DeleteExpiredSessions

func (s *DB) DeleteExpiredSessions(ctx context.Context) error

func (*DB) DeleteExternalID

func (s *DB) DeleteExternalID(ctx context.Context, provider string, userID uuid.UUID) error

func (*DB) DeleteGroup

func (s *DB) DeleteGroup(ctx context.Context, id uuid.UUID) error

func (*DB) DeleteIntegration

func (s *DB) DeleteIntegration(ctx context.Context, id uuid.UUID) error

func (*DB) DeleteSession

func (s *DB) DeleteSession(ctx context.Context, id uuid.UUID) error

func (*DB) DeleteSessionsByUserID

func (s *DB) DeleteSessionsByUserID(ctx context.Context, userID uuid.UUID) error

func (*DB) DeleteTOTP

func (s *DB) DeleteTOTP(ctx context.Context, userID uuid.UUID) error

func (*DB) DeleteUser

func (s *DB) DeleteUser(ctx context.Context, id uuid.UUID) error

func (*DB) DeleteWebAuthnCredential

func (s *DB) DeleteWebAuthnCredential(ctx context.Context, id uuid.UUID, userID uuid.UUID) error

func (*DB) DeleteWebAuthnSession

func (s *DB) DeleteWebAuthnSession(ctx context.Context, id uuid.UUID) error

func (*DB) EnableTOTP

func (s *DB) EnableTOTP(ctx context.Context, id uuid.UUID) error

func (*DB) ExtendSessionExpiry

func (s *DB) ExtendSessionExpiry(ctx context.Context, id uuid.UUID, newExpiry time.Time) error

func (*DB) GetAWSAccount added in v0.2.0

func (s *DB) GetAWSAccount(ctx context.Context, id uuid.UUID) (*model.AWSAccount, error)

func (*DB) GetAWSRole added in v0.2.0

func (s *DB) GetAWSRole(ctx context.Context, id uuid.UUID) (*model.AWSRole, error)

func (*DB) GetActiveSigningKey

func (s *DB) GetActiveSigningKey(ctx context.Context) (*model.SigningKey, error)

func (*DB) GetClientByClientID

func (s *DB) GetClientByClientID(ctx context.Context, clientID string) (*model.Client, error)

func (*DB) GetClientByID

func (s *DB) GetClientByID(ctx context.Context, id uuid.UUID) (*model.Client, error)

func (*DB) GetDeviceGrantByDeviceCodeHash added in v0.3.0

func (s *DB) GetDeviceGrantByDeviceCodeHash(ctx context.Context, hash string) (*model.DeviceGrant, error)

func (*DB) GetDeviceGrantByUserCodeHash added in v0.3.0

func (s *DB) GetDeviceGrantByUserCodeHash(ctx context.Context, hash string) (*model.DeviceGrant, error)

func (*DB) GetExternalID

func (s *DB) GetExternalID(ctx context.Context, provider string, userID uuid.UUID) (string, error)

func (*DB) GetGrantByCodeHash

func (s *DB) GetGrantByCodeHash(ctx context.Context, codeHash string) (*model.Grant, error)

func (*DB) GetGroupByID

func (s *DB) GetGroupByID(ctx context.Context, id uuid.UUID) (*model.SCIMGroup, error)

func (*DB) GetIntegration

func (s *DB) GetIntegration(ctx context.Context, id uuid.UUID) (*model.AppIntegration, error)

func (*DB) GetIntegrationByName

func (s *DB) GetIntegrationByName(ctx context.Context, name string) (*model.AppIntegration, error)

func (*DB) GetSessionByAccessTokenHash

func (s *DB) GetSessionByAccessTokenHash(ctx context.Context, hash string) (*model.Session, error)

func (*DB) GetSessionByRefreshTokenHash

func (s *DB) GetSessionByRefreshTokenHash(ctx context.Context, hash string) (*model.Session, error)

func (*DB) GetTOTPByUserID

func (s *DB) GetTOTPByUserID(ctx context.Context, userID uuid.UUID) (*model.TOTPCredential, error)

func (*DB) GetUserByEmail

func (s *DB) GetUserByEmail(ctx context.Context, email string) (*model.User, error)

func (*DB) GetUserByID

func (s *DB) GetUserByID(ctx context.Context, id uuid.UUID) (*model.User, error)

func (*DB) GetWebAuthnCredentialByCredentialID

func (s *DB) GetWebAuthnCredentialByCredentialID(ctx context.Context, credID []byte) (*model.WebAuthnCredential, error)

func (*DB) GetWebAuthnSession

func (s *DB) GetWebAuthnSession(ctx context.Context, id uuid.UUID, userID uuid.UUID, purpose string) ([]byte, error)

func (*DB) ListAWSAccounts added in v0.2.0

func (s *DB) ListAWSAccounts(ctx context.Context) ([]*model.AWSAccount, error)

func (*DB) ListAWSRevokedUsers added in v0.2.0

func (s *DB) ListAWSRevokedUsers(ctx context.Context, roleID uuid.UUID) ([]*model.AWSRevokedUser, error)

func (*DB) ListAWSRevokedUsersOlderThan added in v0.2.0

func (s *DB) ListAWSRevokedUsersOlderThan(ctx context.Context, cutoff time.Time) ([]*model.AWSRevokedUser, error)

func (*DB) ListAWSRoleAssignments added in v0.2.0

func (s *DB) ListAWSRoleAssignments(ctx context.Context) ([]*model.AWSRoleAssignment, error)

func (*DB) ListAWSRoles added in v0.2.0

func (s *DB) ListAWSRoles(ctx context.Context) ([]*model.AWSRole, error)

func (*DB) ListAWSRolesForUser added in v0.2.0

func (s *DB) ListAWSRolesForUser(ctx context.Context, userID uuid.UUID) ([]*model.AWSRole, error)

ListAWSRolesForUser joins scim_group_members → aws_role_assignments → aws_roles for one user, returning distinct roles. Used by the portal tile page so a user only sees roles their group memberships actually grant.

func (*DB) ListActiveSigningKeys

func (s *DB) ListActiveSigningKeys(ctx context.Context) ([]*model.SigningKey, error)

func (*DB) ListClientVisibility added in v0.2.0

func (s *DB) ListClientVisibility(ctx context.Context, clientID uuid.UUID) ([]uuid.UUID, error)

func (*DB) ListClients

func (s *DB) ListClients(ctx context.Context) ([]*model.Client, error)

func (*DB) ListEnabledIntegrations

func (s *DB) ListEnabledIntegrations(ctx context.Context) ([]*model.AppIntegration, error)

func (*DB) ListGroups

func (s *DB) ListGroups(ctx context.Context) ([]*model.SCIMGroup, error)

func (*DB) ListIntegrations

func (s *DB) ListIntegrations(ctx context.Context) ([]*model.AppIntegration, error)

func (*DB) ListPortalClientsForUser added in v0.2.0

func (s *DB) ListPortalClientsForUser(ctx context.Context, userID uuid.UUID) ([]*model.Client, error)

ListPortalClientsForUser joins clients ← client_visibility ← scim_group_members for one user, plus the visible_to_all shortcut. DISTINCT collapses duplicates when a user belongs to multiple linked groups for the same client. Sentinel/system clients are excluded by the show_in_portal=false default and stay invisible unless explicitly opted in.

func (*DB) ListSessionClientIDsByUser

func (s *DB) ListSessionClientIDsByUser(ctx context.Context, userID uuid.UUID) ([]uuid.UUID, error)

func (*DB) ListUsers

func (s *DB) ListUsers(ctx context.Context) ([]*model.User, error)

func (*DB) ListWebAuthnCredentials

func (s *DB) ListWebAuthnCredentials(ctx context.Context, userID uuid.UUID) ([]*model.WebAuthnCredential, error)

func (*DB) MarkDeviceGrantApproved added in v0.3.0

func (s *DB) MarkDeviceGrantApproved(ctx context.Context, id, userID uuid.UUID, mfaVerified bool, mfaVerifiedAt *time.Time, approverIP string) error

func (*DB) MarkDeviceGrantDenied added in v0.3.0

func (s *DB) MarkDeviceGrantDenied(ctx context.Context, id uuid.UUID, approverIP string) error

func (*DB) MarkDeviceGrantRedeemed added in v0.3.0

func (s *DB) MarkDeviceGrantRedeemed(ctx context.Context, id uuid.UUID) error

func (*DB) MarkGrantUsed

func (s *DB) MarkGrantUsed(ctx context.Context, id uuid.UUID) error

func (*DB) MarkSessionMFA added in v0.3.0

func (s *DB) MarkSessionMFA(ctx context.Context, id uuid.UUID, when time.Time) error

MarkSessionMFA updates the MFA freshness columns on an existing session. Called after a step-up MFA challenge succeeds so the next step-up gate sees a fresh timestamp without minting a new session row.

func (*DB) RemoveGroupMember

func (s *DB) RemoveGroupMember(ctx context.Context, groupID, userID uuid.UUID) error

func (*DB) ReplaceClientVisibility added in v0.2.0

func (s *DB) ReplaceClientVisibility(ctx context.Context, clientID uuid.UUID, groupIDs []uuid.UUID) error

ReplaceClientVisibility uses a transactional delete-then-insert pattern for parity with ReplaceGroupMembers. Per-row idempotency on the (client_id, group_id) unique constraint prevents accidental duplicates when a concurrent edit races us.

func (*DB) ReplaceGroupMembers

func (s *DB) ReplaceGroupMembers(ctx context.Context, groupID uuid.UUID, memberIDs []uuid.UUID) error

func (*DB) RotateRefreshToken

func (s *DB) RotateRefreshToken(ctx context.Context, id uuid.UUID, newRefreshHash string, newAccessExpiry, newRefreshExpiry time.Time) error

func (*DB) SetExternalID

func (s *DB) SetExternalID(ctx context.Context, provider string, userID uuid.UUID, externalID string) error

func (*DB) SetUserActive

func (s *DB) SetUserActive(ctx context.Context, id uuid.UUID, active bool) error

func (*DB) SetUserAdmin

func (s *DB) SetUserAdmin(ctx context.Context, id uuid.UUID, isAdmin bool) error

func (*DB) SetUserMustChangePassword added in v0.2.0

func (s *DB) SetUserMustChangePassword(ctx context.Context, id uuid.UUID, flag bool) error

func (*DB) SetUserSCIMExternalID

func (s *DB) SetUserSCIMExternalID(ctx context.Context, id uuid.UUID, externalID string) error

func (*DB) UpdateAWSAccount added in v0.2.0

func (s *DB) UpdateAWSAccount(ctx context.Context, a *model.AWSAccount) error

func (*DB) UpdateAWSRole added in v0.2.0

func (s *DB) UpdateAWSRole(ctx context.Context, r *model.AWSRole) error

func (*DB) UpdateClient

func (s *DB) UpdateClient(ctx context.Context, id uuid.UUID, name string, redirectURIs, scopes []string, public bool, backchannelLogoutURI *string) error

func (*DB) UpdateClientDeviceGrant added in v0.3.0

func (s *DB) UpdateClientDeviceGrant(ctx context.Context, id uuid.UUID, allow bool) error

UpdateClientDeviceGrant flips the per-client opt-in for the RFC 8628 device authorization flow. Separate entry point so the admin edit form can save this independently of the core fields.

func (*DB) UpdateClientPortalConfig added in v0.2.0

func (s *DB) UpdateClientPortalConfig(ctx context.Context, id uuid.UUID, showInPortal bool, launchURL, brandColor, iconURL string, visibleToAll bool) error

func (*DB) UpdateClientSecret

func (s *DB) UpdateClientSecret(ctx context.Context, id uuid.UUID, secretHash string) error

func (*DB) UpdateDeviceGrantPoll added in v0.3.0

func (s *DB) UpdateDeviceGrantPoll(ctx context.Context, id uuid.UUID, now time.Time, intervalSec int) error

func (*DB) UpdateGroup

func (s *DB) UpdateGroup(ctx context.Context, id uuid.UUID, displayName string) error

func (*DB) UpdateIntegration

func (s *DB) UpdateIntegration(ctx context.Context, i *model.AppIntegration) error

func (*DB) UpdateSessionActivity

func (s *DB) UpdateSessionActivity(ctx context.Context, id uuid.UUID, lastActivity time.Time) error

func (*DB) UpdateUser

func (s *DB) UpdateUser(ctx context.Context, id uuid.UUID, name string, active bool) error

func (*DB) UpdateUserFailedAttempts

func (s *DB) UpdateUserFailedAttempts(ctx context.Context, id uuid.UUID, count int, lockedUntil *time.Time) error

func (*DB) UpdateUserMFAEnabled

func (s *DB) UpdateUserMFAEnabled(ctx context.Context, id uuid.UUID, enabled bool) error

func (*DB) UpdateUserPassword

func (s *DB) UpdateUserPassword(ctx context.Context, id uuid.UUID, passwordHash string) error

UpdateUserPassword writes a new password hash and resets the rotate- required flag in the same statement. Every successful password change — whether by self-service /portal/account/password, by admin reset, or by the forced /portal/login/change-password page — therefore unblocks the user automatically.

func (*DB) UpdateWebAuthnSignCount

func (s *DB) UpdateWebAuthnSignCount(ctx context.Context, id uuid.UUID, signCount uint32, lastUsed time.Time) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL