Documentation
¶
Overview ¶
Package postgres implements store.Store using PostgreSQL via pgx/v5.
Index ¶
- func Migrate(dsn string, tlsCfg *tls.Config) error
- type DB
- func (s *DB) AddAWSRevokedUser(ctx context.Context, roleID uuid.UUID, subUUID string) error
- func (s *DB) AddGroupMember(ctx context.Context, groupID, userID uuid.UUID) error
- func (s *DB) Close() error
- func (s *DB) CountUsers(ctx context.Context) (int, error)
- func (s *DB) CreateAWSAccount(ctx context.Context, a *model.AWSAccount) error
- func (s *DB) CreateAWSRole(ctx context.Context, r *model.AWSRole) error
- func (s *DB) CreateAWSRoleAssignment(ctx context.Context, a *model.AWSRoleAssignment) error
- func (s *DB) CreateClient(ctx context.Context, clientID, clientSecretHash, name string, ...) (*model.Client, error)
- func (s *DB) CreateDeviceGrant(ctx context.Context, g *model.DeviceGrant) error
- func (s *DB) CreateGrant(ctx context.Context, g *model.Grant) error
- func (s *DB) CreateGroup(ctx context.Context, displayName string) (*model.SCIMGroup, error)
- func (s *DB) CreateIntegration(ctx context.Context, i *model.AppIntegration) error
- func (s *DB) CreateSession(ctx context.Context, sess *model.Session) error
- func (s *DB) CreateSigningKey(ctx context.Context, k *model.SigningKey) error
- func (s *DB) CreateTOTPCredential(ctx context.Context, c *model.TOTPCredential) error
- func (s *DB) CreateUser(ctx context.Context, email, passwordHash, name string) (*model.User, error)
- func (s *DB) CreateWebAuthnCredential(ctx context.Context, c *model.WebAuthnCredential) error
- func (s *DB) CreateWebAuthnSession(ctx context.Context, userID uuid.UUID, data []byte, purpose string) (uuid.UUID, error)
- func (s *DB) DeactivateSigningKey(ctx context.Context, id uuid.UUID) error
- func (s *DB) DeleteAWSAccount(ctx context.Context, id uuid.UUID) error
- func (s *DB) DeleteAWSRevokedUser(ctx context.Context, roleID uuid.UUID, subUUID string) error
- func (s *DB) DeleteAWSRole(ctx context.Context, id uuid.UUID) error
- func (s *DB) DeleteAWSRoleAssignment(ctx context.Context, id uuid.UUID) error
- func (s *DB) DeleteClient(ctx context.Context, id uuid.UUID) error
- func (s *DB) DeleteExpiredDeviceGrants(ctx context.Context) (int, error)
- func (s *DB) DeleteExpiredGrants(ctx context.Context) error
- func (s *DB) DeleteExpiredSessions(ctx context.Context) error
- func (s *DB) DeleteExternalID(ctx context.Context, provider string, userID uuid.UUID) error
- func (s *DB) DeleteGroup(ctx context.Context, id uuid.UUID) error
- func (s *DB) DeleteIntegration(ctx context.Context, id uuid.UUID) error
- func (s *DB) DeleteSession(ctx context.Context, id uuid.UUID) error
- func (s *DB) DeleteSessionsByUserID(ctx context.Context, userID uuid.UUID) error
- func (s *DB) DeleteTOTP(ctx context.Context, userID uuid.UUID) error
- func (s *DB) DeleteUser(ctx context.Context, id uuid.UUID) error
- func (s *DB) DeleteWebAuthnCredential(ctx context.Context, id uuid.UUID, userID uuid.UUID) error
- func (s *DB) DeleteWebAuthnSession(ctx context.Context, id uuid.UUID) error
- func (s *DB) EnableTOTP(ctx context.Context, id uuid.UUID) error
- func (s *DB) ExtendSessionExpiry(ctx context.Context, id uuid.UUID, newExpiry time.Time) error
- func (s *DB) GetAWSAccount(ctx context.Context, id uuid.UUID) (*model.AWSAccount, error)
- func (s *DB) GetAWSRole(ctx context.Context, id uuid.UUID) (*model.AWSRole, error)
- func (s *DB) GetActiveSigningKey(ctx context.Context) (*model.SigningKey, error)
- func (s *DB) GetClientByClientID(ctx context.Context, clientID string) (*model.Client, error)
- func (s *DB) GetClientByID(ctx context.Context, id uuid.UUID) (*model.Client, error)
- func (s *DB) GetDeviceGrantByDeviceCodeHash(ctx context.Context, hash string) (*model.DeviceGrant, error)
- func (s *DB) GetDeviceGrantByUserCodeHash(ctx context.Context, hash string) (*model.DeviceGrant, error)
- func (s *DB) GetExternalID(ctx context.Context, provider string, userID uuid.UUID) (string, error)
- func (s *DB) GetGrantByCodeHash(ctx context.Context, codeHash string) (*model.Grant, error)
- func (s *DB) GetGroupByID(ctx context.Context, id uuid.UUID) (*model.SCIMGroup, error)
- func (s *DB) GetIntegration(ctx context.Context, id uuid.UUID) (*model.AppIntegration, error)
- func (s *DB) GetIntegrationByName(ctx context.Context, name string) (*model.AppIntegration, error)
- func (s *DB) GetSessionByAccessTokenHash(ctx context.Context, hash string) (*model.Session, error)
- func (s *DB) GetSessionByRefreshTokenHash(ctx context.Context, hash string) (*model.Session, error)
- func (s *DB) GetTOTPByUserID(ctx context.Context, userID uuid.UUID) (*model.TOTPCredential, error)
- func (s *DB) GetUserByEmail(ctx context.Context, email string) (*model.User, error)
- func (s *DB) GetUserByID(ctx context.Context, id uuid.UUID) (*model.User, error)
- func (s *DB) GetWebAuthnCredentialByCredentialID(ctx context.Context, credID []byte) (*model.WebAuthnCredential, error)
- func (s *DB) GetWebAuthnSession(ctx context.Context, id uuid.UUID, userID uuid.UUID, purpose string) ([]byte, error)
- func (s *DB) ListAWSAccounts(ctx context.Context) ([]*model.AWSAccount, error)
- func (s *DB) ListAWSRevokedUsers(ctx context.Context, roleID uuid.UUID) ([]*model.AWSRevokedUser, error)
- func (s *DB) ListAWSRevokedUsersOlderThan(ctx context.Context, cutoff time.Time) ([]*model.AWSRevokedUser, error)
- func (s *DB) ListAWSRoleAssignments(ctx context.Context) ([]*model.AWSRoleAssignment, error)
- func (s *DB) ListAWSRoles(ctx context.Context) ([]*model.AWSRole, error)
- func (s *DB) ListAWSRolesForUser(ctx context.Context, userID uuid.UUID) ([]*model.AWSRole, error)
- func (s *DB) ListActiveSigningKeys(ctx context.Context) ([]*model.SigningKey, error)
- func (s *DB) ListClientVisibility(ctx context.Context, clientID uuid.UUID) ([]uuid.UUID, error)
- func (s *DB) ListClients(ctx context.Context) ([]*model.Client, error)
- func (s *DB) ListEnabledIntegrations(ctx context.Context) ([]*model.AppIntegration, error)
- func (s *DB) ListGroups(ctx context.Context) ([]*model.SCIMGroup, error)
- func (s *DB) ListIntegrations(ctx context.Context) ([]*model.AppIntegration, error)
- func (s *DB) ListPortalClientsForUser(ctx context.Context, userID uuid.UUID) ([]*model.Client, error)
- func (s *DB) ListSessionClientIDsByUser(ctx context.Context, userID uuid.UUID) ([]uuid.UUID, error)
- func (s *DB) ListUsers(ctx context.Context) ([]*model.User, error)
- func (s *DB) ListWebAuthnCredentials(ctx context.Context, userID uuid.UUID) ([]*model.WebAuthnCredential, error)
- func (s *DB) MarkDeviceGrantApproved(ctx context.Context, id, userID uuid.UUID, mfaVerified bool, ...) error
- func (s *DB) MarkDeviceGrantDenied(ctx context.Context, id uuid.UUID, approverIP string) error
- func (s *DB) MarkDeviceGrantRedeemed(ctx context.Context, id uuid.UUID) error
- func (s *DB) MarkGrantUsed(ctx context.Context, id uuid.UUID) error
- func (s *DB) MarkSessionMFA(ctx context.Context, id uuid.UUID, when time.Time) error
- func (s *DB) RemoveGroupMember(ctx context.Context, groupID, userID uuid.UUID) error
- func (s *DB) ReplaceClientVisibility(ctx context.Context, clientID uuid.UUID, groupIDs []uuid.UUID) error
- func (s *DB) ReplaceGroupMembers(ctx context.Context, groupID uuid.UUID, memberIDs []uuid.UUID) error
- func (s *DB) RotateRefreshToken(ctx context.Context, id uuid.UUID, newRefreshHash string, ...) error
- func (s *DB) SetExternalID(ctx context.Context, provider string, userID uuid.UUID, externalID string) error
- func (s *DB) SetUserActive(ctx context.Context, id uuid.UUID, active bool) error
- func (s *DB) SetUserAdmin(ctx context.Context, id uuid.UUID, isAdmin bool) error
- func (s *DB) SetUserMustChangePassword(ctx context.Context, id uuid.UUID, flag bool) error
- func (s *DB) SetUserSCIMExternalID(ctx context.Context, id uuid.UUID, externalID string) error
- func (s *DB) UpdateAWSAccount(ctx context.Context, a *model.AWSAccount) error
- func (s *DB) UpdateAWSRole(ctx context.Context, r *model.AWSRole) error
- func (s *DB) UpdateClient(ctx context.Context, id uuid.UUID, name string, redirectURIs, scopes []string, ...) error
- func (s *DB) UpdateClientDeviceGrant(ctx context.Context, id uuid.UUID, allow bool) error
- func (s *DB) UpdateClientPortalConfig(ctx context.Context, id uuid.UUID, showInPortal bool, ...) error
- func (s *DB) UpdateClientSecret(ctx context.Context, id uuid.UUID, secretHash string) error
- func (s *DB) UpdateDeviceGrantPoll(ctx context.Context, id uuid.UUID, now time.Time, intervalSec int) error
- func (s *DB) UpdateGroup(ctx context.Context, id uuid.UUID, displayName string) error
- func (s *DB) UpdateIntegration(ctx context.Context, i *model.AppIntegration) error
- func (s *DB) UpdateSessionActivity(ctx context.Context, id uuid.UUID, lastActivity time.Time) error
- func (s *DB) UpdateUser(ctx context.Context, id uuid.UUID, name string, active bool) error
- func (s *DB) UpdateUserFailedAttempts(ctx context.Context, id uuid.UUID, count int, lockedUntil *time.Time) error
- func (s *DB) UpdateUserMFAEnabled(ctx context.Context, id uuid.UUID, enabled bool) error
- func (s *DB) UpdateUserPassword(ctx context.Context, id uuid.UUID, passwordHash string) error
- func (s *DB) UpdateWebAuthnSignCount(ctx context.Context, id uuid.UUID, signCount uint32, lastUsed time.Time) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type DB ¶
type DB struct {
// contains filtered or unexported fields
}
DB wraps sql.DB and implements store.Store for PostgreSQL.
func OpenWithTLS ¶
OpenWithTLS connects using a custom TLS config, enabling client certificate authentication when tlsCfg is non-nil. Pass nil for a plain (DSN-only) connection. Call Migrate first.
func (*DB) AddAWSRevokedUser ¶ added in v0.2.0
AddAWSRevokedUser is idempotent: re-adding an already-revoked (role,user) pair updates revoked_at to "now" so the reaper window starts fresh. Useful when a user is re-deactivated after being reactivated mid-window.
func (*DB) AddGroupMember ¶
func (*DB) CreateAWSAccount ¶ added in v0.2.0
func (*DB) CreateAWSRole ¶ added in v0.2.0
func (*DB) CreateAWSRoleAssignment ¶ added in v0.2.0
func (*DB) CreateClient ¶
func (*DB) CreateDeviceGrant ¶ added in v0.3.0
func (*DB) CreateGroup ¶
func (*DB) CreateIntegration ¶
func (*DB) CreateSession ¶
func (*DB) CreateSigningKey ¶
func (*DB) CreateTOTPCredential ¶
func (*DB) CreateUser ¶
func (*DB) CreateWebAuthnCredential ¶
func (*DB) CreateWebAuthnSession ¶
func (*DB) DeactivateSigningKey ¶
func (*DB) DeleteAWSAccount ¶ added in v0.2.0
func (*DB) DeleteAWSRevokedUser ¶ added in v0.2.0
func (*DB) DeleteAWSRole ¶ added in v0.2.0
func (*DB) DeleteAWSRoleAssignment ¶ added in v0.2.0
func (*DB) DeleteExpiredDeviceGrants ¶ added in v0.3.0
func (*DB) DeleteExternalID ¶
func (*DB) DeleteIntegration ¶
func (*DB) DeleteSessionsByUserID ¶
func (*DB) DeleteWebAuthnCredential ¶
func (*DB) DeleteWebAuthnSession ¶
func (*DB) ExtendSessionExpiry ¶
func (*DB) GetAWSAccount ¶ added in v0.2.0
func (*DB) GetAWSRole ¶ added in v0.2.0
func (*DB) GetActiveSigningKey ¶
func (*DB) GetClientByClientID ¶
func (*DB) GetClientByID ¶
func (*DB) GetDeviceGrantByDeviceCodeHash ¶ added in v0.3.0
func (*DB) GetDeviceGrantByUserCodeHash ¶ added in v0.3.0
func (*DB) GetExternalID ¶
func (*DB) GetGrantByCodeHash ¶
func (*DB) GetGroupByID ¶
func (*DB) GetIntegration ¶
func (*DB) GetIntegrationByName ¶
func (*DB) GetSessionByAccessTokenHash ¶
func (*DB) GetSessionByRefreshTokenHash ¶
func (*DB) GetTOTPByUserID ¶
func (*DB) GetUserByEmail ¶
func (*DB) GetUserByID ¶
func (*DB) GetWebAuthnCredentialByCredentialID ¶
func (*DB) GetWebAuthnSession ¶
func (*DB) ListAWSAccounts ¶ added in v0.2.0
func (*DB) ListAWSRevokedUsers ¶ added in v0.2.0
func (*DB) ListAWSRevokedUsersOlderThan ¶ added in v0.2.0
func (*DB) ListAWSRoleAssignments ¶ added in v0.2.0
func (*DB) ListAWSRoles ¶ added in v0.2.0
func (*DB) ListAWSRolesForUser ¶ added in v0.2.0
ListAWSRolesForUser joins scim_group_members → aws_role_assignments → aws_roles for one user, returning distinct roles. Used by the portal tile page so a user only sees roles their group memberships actually grant.
func (*DB) ListActiveSigningKeys ¶
func (*DB) ListClientVisibility ¶ added in v0.2.0
func (*DB) ListEnabledIntegrations ¶
func (*DB) ListIntegrations ¶
func (*DB) ListPortalClientsForUser ¶ added in v0.2.0
func (s *DB) ListPortalClientsForUser(ctx context.Context, userID uuid.UUID) ([]*model.Client, error)
ListPortalClientsForUser joins clients ← client_visibility ← scim_group_members for one user, plus the visible_to_all shortcut. DISTINCT collapses duplicates when a user belongs to multiple linked groups for the same client. Sentinel/system clients are excluded by the show_in_portal=false default and stay invisible unless explicitly opted in.
func (*DB) ListSessionClientIDsByUser ¶
func (*DB) ListWebAuthnCredentials ¶
func (*DB) MarkDeviceGrantApproved ¶ added in v0.3.0
func (*DB) MarkDeviceGrantDenied ¶ added in v0.3.0
func (*DB) MarkDeviceGrantRedeemed ¶ added in v0.3.0
func (*DB) MarkSessionMFA ¶ added in v0.3.0
MarkSessionMFA updates the MFA freshness columns on an existing session. Called after a step-up MFA challenge succeeds so the next step-up gate sees a fresh timestamp without minting a new session row.
func (*DB) RemoveGroupMember ¶
func (*DB) ReplaceClientVisibility ¶ added in v0.2.0
func (s *DB) ReplaceClientVisibility(ctx context.Context, clientID uuid.UUID, groupIDs []uuid.UUID) error
ReplaceClientVisibility uses a transactional delete-then-insert pattern for parity with ReplaceGroupMembers. Per-row idempotency on the (client_id, group_id) unique constraint prevents accidental duplicates when a concurrent edit races us.
func (*DB) ReplaceGroupMembers ¶
func (*DB) RotateRefreshToken ¶
func (*DB) SetExternalID ¶
func (*DB) SetUserActive ¶
func (*DB) SetUserAdmin ¶
func (*DB) SetUserMustChangePassword ¶ added in v0.2.0
func (*DB) SetUserSCIMExternalID ¶
func (*DB) UpdateAWSAccount ¶ added in v0.2.0
func (*DB) UpdateAWSRole ¶ added in v0.2.0
func (*DB) UpdateClient ¶
func (*DB) UpdateClientDeviceGrant ¶ added in v0.3.0
UpdateClientDeviceGrant flips the per-client opt-in for the RFC 8628 device authorization flow. Separate entry point so the admin edit form can save this independently of the core fields.
func (*DB) UpdateClientPortalConfig ¶ added in v0.2.0
func (*DB) UpdateClientSecret ¶
func (*DB) UpdateDeviceGrantPoll ¶ added in v0.3.0
func (*DB) UpdateGroup ¶
func (*DB) UpdateIntegration ¶
func (*DB) UpdateSessionActivity ¶
func (*DB) UpdateUser ¶
func (*DB) UpdateUserFailedAttempts ¶
func (*DB) UpdateUserMFAEnabled ¶
func (*DB) UpdateUserPassword ¶
UpdateUserPassword writes a new password hash and resets the rotate- required flag in the same statement. Every successful password change — whether by self-service /portal/account/password, by admin reset, or by the forced /portal/login/change-password page — therefore unblocks the user automatically.