database

package
v0.0.0-...-0526857 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 27, 2026 License: MIT Imports: 45 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// LabelKeyNameMaxLength is the maximum length for the name portion of a label key
	LabelKeyNameMaxLength = 63

	// LabelKeyPrefixMaxLength is the maximum length for the optional prefix portion of a label key
	LabelKeyPrefixMaxLength = 253

	// LabelValueMaxLength is the maximum length for a label value
	LabelValueMaxLength = 63
)

Kubernetes-style label restrictions

View Source 
const ActorTable = "actors"
View Source 
const (
	// AnnotationsTotalMaxSize is the maximum total size of all annotations (keys + values) in bytes.
	AnnotationsTotalMaxSize = 256 * 1024 // 256KB
)
View Source 
const ConnectionsTable = "connections"
View Source 
const ConnectorVersionsTable = "connector_versions"
View Source 
const EncryptionKeyVersionsTable = "encryption_key_versions"
View Source 
const EncryptionKeysTable = "encryption_keys"
View Source 
const MigrateMutexKeyName = "db-migrate-lock"

MigrateMutexKeyName is the key that can be used when locking to perform a migration in redis.

View Source 
const NamespacesTable = "namespaces"
View Source 
const OAuth2TokensTable = "oauth2_tokens"
View Source 
const UsedNoncesTable = "used_nonces"

Variables

View Source 
var (
	ValidateNamespacePath        = aschema.ValidateNamespacePath
	ValidateNamespaceMatcher     = aschema.ValidateNamespaceMatcher
	SplitNamespacePathToPrefixes = aschema.SplitNamespacePathToPrefixes
	DepthOfNamespacePath         = aschema.DepthOfNamespacePath
)
View Source 
var ErrDuplicate = errors.New("duplicate record")

ErrDuplicate is returned when a database operation that is expected to be unique fails because a duplicate record already exists.

View Source 
var ErrNamespaceDoesNotExist = errors.New("namespace does not exist")

ErrNamespaceDoesNotExist is returned when a namespace does not exist for a resource that is attempting to be created in the specified namespace.

View Source 
var ErrNotFound = errors.New("record not found")

ErrNotFound is returned when a database operation that is expected to find a record does not find the record.

View Source 
var ErrProtected = errors.New("resource is protected")

ErrProtected is returned when an operation is attempted on a protected resource that cannot be modified in the requested way.

View Source 
var ErrViolation = errors.New("database constraint violation")

ErrViolation is returned when a constraint in the database is violated (e.g. multiple rows with the same ID) after an operation that should have been unique.

View Source 
var GlobalEncryptionKeyID = apid.ID("ek_global")

GlobalEncryptionKeyID is the ID of the global encryption key created by migration. It is the root of the encryption key hierarchy and must not be deleted.

Functions

func BuildLabelSelectorFromMap 

func BuildLabelSelectorFromMap(labels map[string]string) string

BuildLabelSelectorFromMap creates a label selector string from key-value pairs. Keys are sorted for deterministic output. Example: {"type": "salesforce", "env": "prod"} -> "env=prod,type=salesforce"

func IsValidActorOrderByField 

func IsValidActorOrderByField[T string | ActorOrderByField](field T) bool

IsValidActorOrderByField checks if the given value is a valid ActorOrderByField.

func IsValidConnectionOrderByField 

func IsValidConnectionOrderByField[T string | ConnectionOrderByField](field T) bool

func IsValidConnectionState 

func IsValidConnectionState[T string | ConnectionState](state T) bool

func IsValidConnectorOrderByField 

func IsValidConnectorOrderByField[T string | ConnectorOrderByField](field T) bool

func IsValidConnectorVersionOrderByField 

func IsValidConnectorVersionOrderByField[T string | ConnectorVersionOrderByField](field T) bool

func IsValidConnectorVersionState 

func IsValidConnectorVersionState[T string | ConnectorVersionState](state T) bool

func IsValidEncryptionKeyOrderByField 

func IsValidEncryptionKeyOrderByField[T string | EncryptionKeyOrderByField](field T) bool

func IsValidEncryptionKeyState 

func IsValidEncryptionKeyState[T string | EncryptionKeyState](state T) bool

func IsValidNamespaceOrderByField 

func IsValidNamespaceOrderByField[T string | NamespaceOrderByField](field T) bool

func IsValidNamespaceState 

func IsValidNamespaceState[T string | NamespaceState](state T) bool

func RegisterEncryptedField 

func RegisterEncryptedField(reg EncryptedFieldRegistration)

RegisterEncryptedField adds an encrypted field registration to the global registry. Panics if the registration is invalid. Must be called during init().

func ValidateAnnotationKey 

func ValidateAnnotationKey(key string) error

ValidateAnnotationKey validates a single annotation key. Annotation keys follow the same format as label keys.

func ValidateAnnotationValue 

func ValidateAnnotationValue(_ string) error

ValidateAnnotationValue validates a single annotation value. Annotation values have no format restriction — any string is allowed. Individual value size is not restricted; only the total annotations size is checked.

func ValidateAnnotations 

func ValidateAnnotations(annotations map[string]string) error

ValidateAnnotations validates all annotations in a map.

func ValidateLabelKey 

func ValidateLabelKey(key string) error

ValidateLabelKey validates a single label key according to Kubernetes restrictions. Format: [prefix/]name - prefix (optional): valid DNS subdomain, max 253 characters - name (required): 1-63 characters, must start/end with alphanumeric, may contain '-', '_', '.'

func ValidateLabelValue 

func ValidateLabelValue(value string) error

ValidateLabelValue validates a single label value according to Kubernetes restrictions. - 0-63 characters (can be empty) - if non-empty: must start and end with alphanumeric, may contain alphanumeric, '-', '_', '.'

func ValidateLabels 

func ValidateLabels(labels map[string]string) error

ValidateLabels validates all labels in a map according to Kubernetes restrictions.

Types

type Actor 

type Actor struct {
	Id           apid.ID
	Namespace    string
	ExternalId   string
	Permissions  Permissions
	Labels       Labels
	Annotations  Annotations
	EncryptedKey *encfield.EncryptedField
	CreatedAt    time.Time
	UpdatedAt    time.Time
	EncryptedAt  *time.Time
	DeletedAt    *time.Time
}

Actor is some entity taking action within the system.

func (*Actor) CanSelfSign 

func (a *Actor) CanSelfSign() bool

CanSelfSign returns true if this actor has an encrypted key and can self-sign requests

func (*Actor) GetAnnotations 

func (a *Actor) GetAnnotations() map[string]string

func (*Actor) GetEncryptedKey 

func (a *Actor) GetEncryptedKey() *encfield.EncryptedField

func (*Actor) GetExternalId 

func (a *Actor) GetExternalId() string

func (*Actor) GetId 

func (a *Actor) GetId() apid.ID

func (*Actor) GetLabels 

func (a *Actor) GetLabels() map[string]string

func (*Actor) GetNamespace 

func (a *Actor) GetNamespace() string

func (*Actor) GetPermissions 

func (a *Actor) GetPermissions() []aschema.Permission

type ActorOrderByField 

type ActorOrderByField string
const (
	ActorOrderByCreatedAt  ActorOrderByField = "created_at"
	ActorOrderByUpdatedAt  ActorOrderByField = "updated_at"
	ActorOrderByNamespace  ActorOrderByField = "namespace"
	ActorOrderByExternalId ActorOrderByField = "external_id"
	ActorOrderByDeletedAt  ActorOrderByField = "deleted_at"
)

type Annotations 

type Annotations map[string]string

Annotations is a map of key-value pairs similar to Kubernetes annotations. Keys follow the same format as label keys ([prefix/]name). Values have no format restriction — any string is allowed. Total size of all annotations (keys + values) must not exceed 256KB.

func (Annotations) Copy 

func (a Annotations) Copy() Annotations

Copy returns a deep copy of the annotations.

func (Annotations) Get 

func (a Annotations) Get(key string) (string, bool)

Get returns the value for an annotation key, and whether the key exists.

func (Annotations) Has 

func (a Annotations) Has(key string) bool

Has returns true if the annotation key exists.

func (*Annotations) Scan 

func (a *Annotations) Scan(value interface{}) error

Scan implements the sql.Scanner interface for Annotations

func (Annotations) Validate 

func (a Annotations) Validate() error

Validate validates all annotations.

func (Annotations) Value 

func (a Annotations) Value() (driver.Value, error)

Value implements the driver.Valuer interface for Annotations

type Connection 

type Connection struct {
	Id                     apid.ID
	Namespace              string
	State                  ConnectionState
	ConnectorId            apid.ID
	ConnectorVersion       uint64
	Labels                 Labels
	Annotations            Annotations
	EncryptedConfiguration *encfield.EncryptedField
	EncryptedAt            *time.Time
	SetupStep              *cschema.SetupStep
	SetupError             *string
	CreatedAt              time.Time
	UpdatedAt              time.Time
	DeletedAt              *time.Time
}

func (*Connection) GetConnectorId 

func (c *Connection) GetConnectorId() apid.ID

func (*Connection) GetConnectorVersion 

func (c *Connection) GetConnectorVersion() uint64

func (*Connection) GetId 

func (c *Connection) GetId() apid.ID

func (*Connection) GetNamespace 

func (c *Connection) GetNamespace() string

func (*Connection) Validate 

func (c *Connection) Validate() error

type ConnectionOrderByField 

type ConnectionOrderByField string
const (
	ConnectionOrderById        ConnectionOrderByField = "id"
	ConnectionOrderByNamespace ConnectionOrderByField = "namespace"
	ConnectionOrderByState     ConnectionOrderByField = "state"
	ConnectionOrderByCreatedAt ConnectionOrderByField = "created_at"
	ConnectionOrderByUpdatedAt ConnectionOrderByField = "updated_at"
)

type ConnectionState 

type ConnectionState string
const (
	ConnectionStateCreated       ConnectionState = "created"
	ConnectionStateReady         ConnectionState = "ready"
	ConnectionStateDisabled      ConnectionState = "disabled"
	ConnectionStateDisconnecting ConnectionState = "disconnecting"
	ConnectionStateDisconnected  ConnectionState = "disconnected"
)

type Connector 

type Connector struct {
	ConnectorVersion
	TotalVersions int64
	States        ConnectorVersionStates
}

Connector object is returned from queries for connectors, with one record per id. It aggregates some information across all versions for a connector.

type ConnectorOrderByField 

type ConnectorOrderByField string
const (
	ConnectorOrderById        ConnectorOrderByField = "id"
	ConnectorOrderByVersion   ConnectorOrderByField = "version"
	ConnectorOrderByNamespace ConnectorOrderByField = "namespace"
	ConnectorOrderByState     ConnectorOrderByField = "state"
	ConnectorOrderByCreatedAt ConnectorOrderByField = "created_at"
	ConnectorOrderByUpdatedAt ConnectorOrderByField = "updated_at"
	ConnectorOrderByType      ConnectorOrderByField = "type"
)

type ConnectorVersion 

type ConnectorVersion struct {
	Id                  apid.ID
	Version             uint64
	Namespace           string
	State               ConnectorVersionState
	Hash                string
	EncryptedDefinition encfield.EncryptedField
	Labels              Labels
	Annotations         Annotations
	CreatedAt           time.Time
	UpdatedAt           time.Time
	EncryptedAt         *time.Time
	DeletedAt           *time.Time
}

func (*ConnectorVersion) GetId 

func (cv *ConnectorVersion) GetId() apid.ID

func (*ConnectorVersion) GetNamespace 

func (cv *ConnectorVersion) GetNamespace() string

func (*ConnectorVersion) GetVersion 

func (cv *ConnectorVersion) GetVersion() uint64

func (*ConnectorVersion) Validate 

func (cv *ConnectorVersion) Validate() error

type ConnectorVersionId 

type ConnectorVersionId struct {
	Id      apid.ID
	Version uint64
}

type ConnectorVersionOrderByField 

type ConnectorVersionOrderByField string
const (
	ConnectorVersionOrderById        ConnectorVersionOrderByField = "id"
	ConnectorVersionOrderByVersion   ConnectorVersionOrderByField = "version"
	ConnectorVersionOrderByState     ConnectorVersionOrderByField = "state"
	ConnectorVersionOrderByCreatedAt ConnectorVersionOrderByField = "created_at"
	ConnectorVersionOrderByUpdatedAt ConnectorVersionOrderByField = "updated_at"
)

type ConnectorVersionState 

type ConnectorVersionState string
const (
	// ConnectorVersionStateDraft means the connector definition is being worked on and new users should not connect to
	// this version and existing users should not be upgraded to this version
	ConnectorVersionStateDraft ConnectorVersionState = "draft"

	// ConnectorVersionStatePrimary means that the version has been published and this should be the version used for
	// new connections. Existing connections of this connector will be upgraded to this version if possible, or
	// transitioned to a state where action is required to complete the upgrade.
	ConnectorVersionStatePrimary ConnectorVersionState = "primary"

	// ConnectorVersionStateActive means that a newer version of the connector has been published, but connections
	// still exist on this version that have not been upgraded.
	ConnectorVersionStateActive ConnectorVersionState = "active"

	// ConnectorVersionStateArchived means that this is an old version of the connect that does not have any active
	// connections running on the version.
	ConnectorVersionStateArchived ConnectorVersionState = "archived"
)

func (*ConnectorVersionState) Scan 

func (s *ConnectorVersionState) Scan(value interface{}) error

Scan implements the sql.Scanner interface for ConnectorVersionState

func (ConnectorVersionState) Value 

func (s ConnectorVersionState) Value() (driver.Value, error)

Value implements the driver.Valuer interface for ConnectorVersionState

type ConnectorVersionStates 

type ConnectorVersionStates []ConnectorVersionState

ConnectorVersionStates is a custom type for a slice of ConnectorVersionState

func (*ConnectorVersionStates) Scan 

func (s *ConnectorVersionStates) Scan(value interface{}) error

Scan implements the sql.Scanner interface for ConnectorVersionStates

func (ConnectorVersionStates) Value 

func (s ConnectorVersionStates) Value() (driver.Value, error)

Value implements the driver.Valuer interface for ConnectorVersionStates

type DB 

type DB interface {
	SetCursorEncryptor(e pagination.CursorEncryptor)
	Migrate(ctx context.Context) error
	Ping(ctx context.Context) bool

	GetNamespace(ctx context.Context, path string) (*Namespace, error)
	CreateNamespace(ctx context.Context, ns *Namespace) error
	EnsureNamespaceByPath(ctx context.Context, path string) error
	DeleteNamespace(ctx context.Context, path string) error
	SetNamespaceState(ctx context.Context, path string, state NamespaceState) error
	SetNamespaceEncryptionKeyId(ctx context.Context, path string, ekId *apid.ID) (*Namespace, error)
	UpdateNamespaceLabels(ctx context.Context, path string, labels map[string]string) (*Namespace, error)
	PutNamespaceLabels(ctx context.Context, path string, labels map[string]string) (*Namespace, error)
	DeleteNamespaceLabels(ctx context.Context, path string, keys []string) (*Namespace, error)
	UpdateNamespaceAnnotations(ctx context.Context, path string, annotations map[string]string) (*Namespace, error)
	PutNamespaceAnnotations(ctx context.Context, path string, annotations map[string]string) (*Namespace, error)
	DeleteNamespaceAnnotations(ctx context.Context, path string, keys []string) (*Namespace, error)
	ListNamespacesBuilder() ListNamespacesBuilder
	ListNamespacesFromCursor(ctx context.Context, cursor string) (ListNamespacesExecutor, error)
	EnumerateNamespaceEncryptionTargets(
		ctx context.Context,
		callback func(targets []NamespaceEncryptionTarget, lastPage bool) (updates []NamespaceTargetEncryptionKeyVersionUpdate, keepGoing pagination.KeepGoing, err error),
	) error

	GetActor(ctx context.Context, id apid.ID) (*Actor, error)
	GetActorByExternalId(ctx context.Context, namespace, externalId string) (*Actor, error)
	CreateActor(ctx context.Context, actor *Actor) error
	UpsertActor(ctx context.Context, actor IActorData) (*Actor, error)
	DeleteActor(ctx context.Context, id apid.ID) error
	PutActorLabels(ctx context.Context, id apid.ID, labels map[string]string) (*Actor, error)
	DeleteActorLabels(ctx context.Context, id apid.ID, keys []string) (*Actor, error)
	UpdateActorAnnotations(ctx context.Context, id apid.ID, annotations map[string]string) (*Actor, error)
	PutActorAnnotations(ctx context.Context, id apid.ID, annotations map[string]string) (*Actor, error)
	DeleteActorAnnotations(ctx context.Context, id apid.ID, keys []string) (*Actor, error)
	ListActorsBuilder() ListActorsBuilder
	ListActorsFromCursor(ctx context.Context, cursor string) (ListActorsExecutor, error)

	GetConnectorVersion(ctx context.Context, id apid.ID, version uint64) (*ConnectorVersion, error)
	GetConnectorVersions(ctx context.Context, requested []ConnectorVersionId) (map[ConnectorVersionId]*ConnectorVersion, error)
	GetConnectorVersionForLabels(ctx context.Context, labelSelector string) (*ConnectorVersion, error)
	GetConnectorVersionForLabelsAndVersion(ctx context.Context, labelSelector string, version uint64) (*ConnectorVersion, error)
	GetConnectorVersionForState(ctx context.Context, id apid.ID, state ConnectorVersionState) (*ConnectorVersion, error)
	NewestConnectorVersionForId(ctx context.Context, id apid.ID) (*ConnectorVersion, error)
	NewestPublishedConnectorVersionForId(ctx context.Context, id apid.ID) (*ConnectorVersion, error)
	UpsertConnectorVersion(ctx context.Context, cv *ConnectorVersion) error
	SetConnectorVersionState(ctx context.Context, id apid.ID, version uint64, state ConnectorVersionState) error
	ListConnectorVersionsBuilder() ListConnectorVersionsBuilder
	ListConnectorVersionsFromCursor(ctx context.Context, cursor string) (ListConnectorVersionsExecutor, error)
	ListConnectorsBuilder() ListConnectorsBuilder
	ListConnectorsFromCursor(ctx context.Context, cursor string) (ListConnectorsExecutor, error)

	GetConnection(ctx context.Context, id apid.ID) (*Connection, error)
	CreateConnection(ctx context.Context, c *Connection) error
	DeleteConnection(ctx context.Context, id apid.ID) error
	SetConnectionState(ctx context.Context, id apid.ID, state ConnectionState) error
	SetConnectionSetupStep(ctx context.Context, id apid.ID, setupStep *cschema.SetupStep) error
	SetConnectionSetupError(ctx context.Context, id apid.ID, setupError *string) error
	SetConnectionEncryptedConfiguration(ctx context.Context, id apid.ID, encryptedConfig *encfield.EncryptedField) error
	UpdateConnectionLabels(ctx context.Context, id apid.ID, labels map[string]string) (*Connection, error)
	PutConnectionLabels(ctx context.Context, id apid.ID, labels map[string]string) (*Connection, error)
	DeleteConnectionLabels(ctx context.Context, id apid.ID, keys []string) (*Connection, error)
	UpdateConnectionAnnotations(ctx context.Context, id apid.ID, annotations map[string]string) (*Connection, error)
	PutConnectionAnnotations(ctx context.Context, id apid.ID, annotations map[string]string) (*Connection, error)
	DeleteConnectionAnnotations(ctx context.Context, id apid.ID, keys []string) (*Connection, error)
	ListConnectionsBuilder() ListConnectionsBuilder
	ListConnectionsFromCursor(ctx context.Context, cursor string) (ListConnectionsExecutor, error)

	/*
	 * OAuth2 tokens
	 */
	GetOAuth2Token(ctx context.Context, connectionId apid.ID) (*OAuth2Token, error)
	InsertOAuth2Token(
		ctx context.Context,
		connectionId apid.ID,
		refreshedFrom *apid.ID,
		encryptedRefreshToken encfield.EncryptedField,
		encryptedAccessToken encfield.EncryptedField,
		accessTokenExpiresAt *time.Time,
		scopes string,
	) (*OAuth2Token, error)
	DeleteOAuth2Token(ctx context.Context, tokenId apid.ID) error
	DeleteAllOAuth2TokensForConnection(ctx context.Context, connectionId apid.ID) error

	// EnumerateOAuth2TokensExpiringWithin enumerates OAuth2 tokens that are expiring within a specified time interval
	// of now. This includes tokens that are already expired. Deleted tokens are not considered, nor are tokens tied
	// to a deleted connection.
	EnumerateOAuth2TokensExpiringWithin(
		ctx context.Context,
		duration time.Duration,
		callback func(tokens []*OAuth2TokenWithConnection, lastPage bool) (keepGoing pagination.KeepGoing, err error),
	) error

	GetEncryptionKey(ctx context.Context, id apid.ID) (*EncryptionKey, error)
	CreateEncryptionKey(ctx context.Context, ek *EncryptionKey) error
	UpdateEncryptionKey(ctx context.Context, id apid.ID, updates map[string]interface{}) (*EncryptionKey, error)
	DeleteEncryptionKey(ctx context.Context, id apid.ID) error
	SetEncryptionKeyState(ctx context.Context, id apid.ID, state EncryptionKeyState) error
	UpdateEncryptionKeyLabels(ctx context.Context, id apid.ID, labels map[string]string) (*EncryptionKey, error)
	PutEncryptionKeyLabels(ctx context.Context, id apid.ID, labels map[string]string) (*EncryptionKey, error)
	DeleteEncryptionKeyLabels(ctx context.Context, id apid.ID, keys []string) (*EncryptionKey, error)
	UpdateEncryptionKeyAnnotations(ctx context.Context, id apid.ID, annotations map[string]string) (*EncryptionKey, error)
	PutEncryptionKeyAnnotations(ctx context.Context, id apid.ID, annotations map[string]string) (*EncryptionKey, error)
	DeleteEncryptionKeyAnnotations(ctx context.Context, id apid.ID, keys []string) (*EncryptionKey, error)
	ListEncryptionKeysBuilder() ListEncryptionKeysBuilder
	ListEncryptionKeysFromCursor(ctx context.Context, cursor string) (ListEncryptionKeysExecutor, error)

	// EnumerateEncryptionKeysInDependencyOrder loads all non-deleted encryption keys and walks them
	// in breadth-first order starting from the root key (the one with nil EncryptedKeyData).
	// The callback receives one depth-level of keys at a time, with depth 0 being the root.
	// Returns a slice of orphaned keys whose parent encryption key version could not be resolved.
	EnumerateEncryptionKeysInDependencyOrder(
		ctx context.Context,
		callback func(keys []*EncryptionKey, depth int) (keepGoing pagination.KeepGoing, err error),
	) ([]*EncryptionKey, error)

	CreateEncryptionKeyVersion(ctx context.Context, ekv *EncryptionKeyVersion) error
	GetEncryptionKeyVersion(ctx context.Context, id apid.ID) (*EncryptionKeyVersion, error)
	GetCurrentEncryptionKeyVersionForEncryptionKey(ctx context.Context, encryptionKeyId apid.ID) (*EncryptionKeyVersion, error)
	ListEncryptionKeyVersionsForEncryptionKey(ctx context.Context, encryptionKeyId apid.ID) ([]*EncryptionKeyVersion, error)
	GetMaxOrderedVersionForEncryptionKey(ctx context.Context, encryptionKeyId apid.ID) (int64, error)
	ClearCurrentFlagForEncryptionKey(ctx context.Context, encryptionKeyId apid.ID) error
	GetCurrentEncryptionKeyVersionForNamespace(ctx context.Context, namespacePath string) (*EncryptionKeyVersion, error)
	ListEncryptionKeyVersionsForNamespace(ctx context.Context, namespacePath string) ([]*EncryptionKeyVersion, error)
	GetMaxOrderedVersionForNamespace(ctx context.Context, namespacePath string) (int64, error)
	ClearCurrentFlagForNamespace(ctx context.Context, namespacePath string) error
	DeleteEncryptionKeyVersion(ctx context.Context, id apid.ID) error
	DeleteEncryptionKeyVersionsForEncryptionKey(ctx context.Context, encryptionKeyId apid.ID) error
	SetEncryptionKeyVersionCurrentFlag(ctx context.Context, id apid.ID, isCurrent bool) error

	// EnumerateEncryptionKeyVersionsForKey enumerates all non-deleted encryption key versions for a
	// specified key in batches.
	EnumerateEncryptionKeyVersionsForKey(
		ctx context.Context,
		ekId apid.ID,
		callback func(ekvs []*EncryptionKeyVersion, lastPage bool) (keepGoing pagination.KeepGoing, err error),
	) error

	// EnumerateFieldsRequiringReEncryption walks all registered encrypted fields across all tables,
	// finding rows whose encrypted field EKV ID does not match the namespace's target EKV ID.
	EnumerateFieldsRequiringReEncryption(
		ctx context.Context,
		callback func(targets []ReEncryptionTarget, lastPage bool) (keepGoing pagination.KeepGoing, err error),
	) error

	// BatchUpdateReEncryptedFields updates encrypted field values after re-encryption,
	// setting the new value and updating encrypted_at.
	BatchUpdateReEncryptedFields(ctx context.Context, updates []ReEncryptedFieldUpdate) error

	// PurgeSoftDeletedRecords hard-deletes all soft-deleted records where deleted_at is before olderThan.
	// Returns the total number of records deleted across all tables.
	PurgeSoftDeletedRecords(ctx context.Context, olderThan time.Time) (int64, error)

	HasNonceBeenUsed(ctx context.Context, nonce apid.ID) (hasBeenUsed bool, err error)
	CheckNonceValidAndMarkUsed(ctx context.Context, nonce apid.ID, retainRecordUntil time.Time) (wasValid bool, err error)
	DeleteExpiredNonces(ctx context.Context) (err error)
}

func MustApplyBlankTestDbConfig 

func MustApplyBlankTestDbConfig(t testing.TB, cfg config.C) (config.C, DB)

MustApplyBlankTestDbConfig applies a test database configuration to the specified config root. The database is guaranteed to be blank and migrated. This method uses a temp file so that the database will be eventually cleaned up after the process exits. Note that the configuration in the root will be modified for the database and populated for the GlobalAESKey if it is not already populated.

To support debugging tests by inspecting the SQLite database, if the SQLITE_TEST_DATABASE_PATH env var is set this method will use the database at that path. It will delete the existing file at that path to recreate unless the SQLITE_TEST_DATABASE_PATH_CLEAR env var is set to false.

To run tests against Postgres, set AUTH_PROXY_TEST_DATABASE_PROVIDER=postgres and configure the connection with POSTGRES_TEST_HOST, POSTGRES_TEST_PORT, POSTGRES_TEST_USER, POSTGRES_TEST_PASSWORD, POSTGRES_TEST_DATABASE, and POSTGRES_TEST_OPTIONS. You can also tune POSTGRES_TEST_MAX_PARALLEL and POSTGRES_TEST_MAX_CONNS to reduce connection pressure.

Parameters: - t: the test instance used for naming and cleanup - cfg: the config to apply the database config to. This may be nil, in which case a new config is created. This method will overwrite the existing config.

Returns: - the config with information populated for the database. If a config was passed in, the same value is returned with data populated. - a database instance configured with the specified root. This database can be used directly, or if the root used again, it will connect to the same database instance.

func MustApplyBlankTestDbConfigRaw 

func MustApplyBlankTestDbConfigRaw(t testing.TB, cfg config.C) (config.C, DB, *sql.DB)

func NewConnectionForRoot 

func NewConnectionForRoot(root *config.Root, logger *slog.Logger) (DB, error)

NewConnectionForRoot creates a new database connection from the specified configuration. The type of the database returned will be determined by the configuration. Same as NewConnection.

func NewPostgresConnection 

func NewPostgresConnection(dbConfig *config.DatabasePostgres, l *slog.Logger) (DB, error)

NewPostgresConnection creates a new database connection to a Postgres database.

func NewSqliteConnection 

func NewSqliteConnection(dbConfig *config.DatabaseSqlite, l *slog.Logger) (DB, error)

NewSqliteConnection creates a new database connection to a SQLite database.

type DeletedHandling 

type DeletedHandling bool
const (
	// DeletedHandlingExclude will exclude deleted records from the result set
	DeletedHandlingExclude DeletedHandling = false

	// DeletedHandlingInclude will include deleted records in the result set
	DeletedHandlingInclude DeletedHandling = true
)

type EncryptedFieldRegistration 

type EncryptedFieldRegistration struct {
	Table          string
	PrimaryKeyCols []string // e.g. ["id"] or ["id", "version"]
	EncryptedCols  []string // e.g. ["encrypted_access_token", "encrypted_refresh_token"]

	// Direct namespace resolution (most tables)
	NamespaceCol string // e.g. "namespace" — column on this table

	// Indirect namespace resolution via JOIN (e.g. oauth2_tokens → connections)
	JoinTable        string // e.g. "connections"
	JoinLocalCol     string // e.g. "connection_id" — FK column on this table
	JoinRemoteCol    string // e.g. "id" — PK column on join table
	JoinNamespaceCol string // e.g. "namespace" — namespace column on join table
}

EncryptedFieldRegistration declares which columns on a table contain encrypted fields and how the table resolves to a namespace.

func GetEncryptedFieldRegistrations 

func GetEncryptedFieldRegistrations() []EncryptedFieldRegistration

GetEncryptedFieldRegistrations returns a copy of all registered encrypted field registrations.

type EncryptionKey 

type EncryptionKey struct {
	Id               apid.ID
	Namespace        string
	EncryptedKeyData *encfield.EncryptedField
	State            EncryptionKeyState
	Labels           Labels
	Annotations      Annotations
	CreatedAt        time.Time
	UpdatedAt        time.Time
	EncryptedAt      *time.Time
	DeletedAt        *time.Time
}

EncryptionKey represents a user-managed encryption key configuration.

func (*EncryptionKey) GetNamespace 

func (ek *EncryptionKey) GetNamespace() string

func (*EncryptionKey) Validate 

func (ek *EncryptionKey) Validate() error

type EncryptionKeyOrderByField 

type EncryptionKeyOrderByField string
const (
	EncryptionKeyOrderByState     EncryptionKeyOrderByField = "state"
	EncryptionKeyOrderByCreatedAt EncryptionKeyOrderByField = "created_at"
	EncryptionKeyOrderByUpdatedAt EncryptionKeyOrderByField = "updated_at"
)

type EncryptionKeyState 

type EncryptionKeyState string
const (
	EncryptionKeyStateActive   EncryptionKeyState = "active"
	EncryptionKeyStateDisabled EncryptionKeyState = "disabled"
)

type EncryptionKeyVersion 

type EncryptionKeyVersion struct {
	Id              apid.ID
	EncryptionKeyId apid.ID
	Provider        string
	ProviderID      string
	ProviderVersion string
	OrderedVersion  int64
	IsCurrent       bool
	CreatedAt       time.Time
	UpdatedAt       time.Time
	DeletedAt       *time.Time
}

func (*EncryptionKeyVersion) Validate 

func (ekv *EncryptionKeyVersion) Validate() error

type IActorData 

type IActorData interface {
	GetId() apid.ID
	GetExternalId() string
	GetPermissions() []aschema.Permission
	GetNamespace() string
	GetLabels() map[string]string
	// GetAnnotations returns the annotations to apply on upsert. A nil return means
	// annotations should be left unchanged on existing actors (PATCH semantics);
	// a non-nil map (including empty) is treated as a full replacement.
	GetAnnotations() map[string]string
}

type IActorDataExtended 

type IActorDataExtended interface {
	IActorData
	GetEncryptedKey() *encfield.EncryptedField
}

IActorDataExtended extends IActorData with additional fields for labels and encrypted key. This interface is used when creating or updating actors with extended data such as labels for tracking the source of admin syncs, or encrypted keys for admin authentication.

type LabelOperator 

type LabelOperator string
const (
	LabelOperatorEqual     LabelOperator = "="
	LabelOperatorNotEqual  LabelOperator = "!="
	LabelOperatorExists    LabelOperator = "exists"
	LabelOperatorNotExists LabelOperator = "!exists"
)

type LabelRequirement 

type LabelRequirement struct {
	Key      string
	Operator LabelOperator
	Value    string
}

type LabelSelector 

type LabelSelector []LabelRequirement

func ParseLabelSelector 

func ParseLabelSelector(selector string) (LabelSelector, error)

ParseLabelSelector parses a Kubernetes-style label selector string. Supported syntax: - key=value, key==value - key!=value - key (exists) - !key (does not exist)

func (LabelSelector) ApplyToSqlBuilderWithProvider 

func (s LabelSelector) ApplyToSqlBuilderWithProvider(q sq.SelectBuilder, labelsColumn string, provider config.DatabaseProvider) sq.SelectBuilder

func (LabelSelector) String 

func (s LabelSelector) String() string

type Labels 

type Labels map[string]string

Labels is a map of key-value pairs following Kubernetes label restrictions. Keys follow the format [prefix/]name where: - prefix (optional): valid DNS subdomain, max 253 characters - name (required): 1-63 characters, alphanumeric start/end, may contain '-', '_', '.' Values: 0-63 characters, if non-empty must start/end with alphanumeric

func (Labels) Copy 

func (l Labels) Copy() Labels

Copy returns a deep copy of the labels.

func (Labels) Get 

func (l Labels) Get(key string) (string, bool)

Get returns the value for a label key, and whether the key exists.

func (Labels) Has 

func (l Labels) Has(key string) bool

Has returns true if the label key exists.

func (*Labels) Scan 

func (l *Labels) Scan(value interface{}) error

Scan implements the sql.Scanner interface for Labels

func (Labels) Validate 

func (l Labels) Validate() error

Validate validates all labels according to Kubernetes restrictions.

func (Labels) Value 

func (l Labels) Value() (driver.Value, error)

Value implements the driver.Valuer interface for Labels

type ListActorsBuilder 

type ListActorsBuilder interface {
	ListActorsExecutor
	ForExternalId(externalId string) ListActorsBuilder
	ForNamespaceMatcher(matcher string) ListActorsBuilder
	ForNamespaceMatchers(matchers []string) ListActorsBuilder
	Limit(int32) ListActorsBuilder
	OrderBy(ActorOrderByField, pagination.OrderBy) ListActorsBuilder
	IncludeDeleted() ListActorsBuilder
	ForLabelSelector(selector string) ListActorsBuilder
}

type ListActorsExecutor 

type ListActorsExecutor interface {
	FetchPage(context.Context) pagination.PageResult[*Actor]
	Enumerate(context.Context, func(pagination.PageResult[*Actor]) (keepGoing pagination.KeepGoing, err error)) error
}

type ListConnectionsBuilder 

type ListConnectionsBuilder interface {
	ListConnectionsExecutor
	Limit(int32) ListConnectionsBuilder
	ForState(ConnectionState) ListConnectionsBuilder
	ForStates([]ConnectionState) ListConnectionsBuilder
	ForNamespaceMatcher(matcher string) ListConnectionsBuilder
	ForNamespaceMatchers(matchers []string) ListConnectionsBuilder
	OrderBy(ConnectionOrderByField, pagination.OrderBy) ListConnectionsBuilder
	IncludeDeleted() ListConnectionsBuilder
	WithDeletedHandling(DeletedHandling) ListConnectionsBuilder
	ForLabelSelector(selector string) ListConnectionsBuilder
	WithSetupStepNotNull() ListConnectionsBuilder
	UpdatedBefore(t time.Time) ListConnectionsBuilder
}

type ListConnectionsExecutor 

type ListConnectionsExecutor interface {
	FetchPage(context.Context) pagination.PageResult[Connection]
	Enumerate(context.Context, func(pagination.PageResult[Connection]) (keepGoing pagination.KeepGoing, err error)) error
}

type ListConnectorVersionsBuilder 

type ListConnectorVersionsBuilder interface {
	ListConnectorVersionsExecutor
	Limit(int32) ListConnectorVersionsBuilder
	ForId(apid.ID) ListConnectorVersionsBuilder
	ForVersion(uint64) ListConnectorVersionsBuilder
	ForState(ConnectorVersionState) ListConnectorVersionsBuilder
	ForStates([]ConnectorVersionState) ListConnectorVersionsBuilder
	ForNamespaceMatcher(string) ListConnectorVersionsBuilder
	ForNamespaceMatchers([]string) ListConnectorVersionsBuilder
	OrderBy(ConnectorVersionOrderByField, pagination.OrderBy) ListConnectorVersionsBuilder
	IncludeDeleted() ListConnectorVersionsBuilder
	ForLabelSelector(selector string) ListConnectorVersionsBuilder
}

type ListConnectorVersionsExecutor 

type ListConnectorVersionsExecutor interface {
	FetchPage(context.Context) pagination.PageResult[ConnectorVersion]
	Enumerate(context.Context, func(pagination.PageResult[ConnectorVersion]) (keepGoing pagination.KeepGoing, err error)) error
}

type ListConnectorsBuilder 

type ListConnectorsBuilder interface {
	ListConnectorsExecutor
	Limit(int32) ListConnectorsBuilder
	ForType(string) ListConnectorsBuilder
	ForId(apid.ID) ListConnectorsBuilder
	ForNamespaceMatcher(string) ListConnectorsBuilder
	ForNamespaceMatchers([]string) ListConnectorsBuilder
	ForState(ConnectorVersionState) ListConnectorsBuilder
	ForStates([]ConnectorVersionState) ListConnectorsBuilder
	OrderBy(ConnectorOrderByField, pagination.OrderBy) ListConnectorsBuilder
	IncludeDeleted() ListConnectorsBuilder
	ForLabelSelector(selector string) ListConnectorsBuilder
}

type ListConnectorsExecutor 

type ListConnectorsExecutor interface {
	FetchPage(context.Context) pagination.PageResult[Connector]
	Enumerate(context.Context, func(pagination.PageResult[Connector]) (keepGoing pagination.KeepGoing, err error)) error
}

type ListEncryptionKeysBuilder 

type ListEncryptionKeysBuilder interface {
	ListEncryptionKeysExecutor
	Limit(int32) ListEncryptionKeysBuilder
	ForNamespaceMatcher(matcher string) ListEncryptionKeysBuilder
	ForNamespaceMatchers(matchers []string) ListEncryptionKeysBuilder
	ForState(EncryptionKeyState) ListEncryptionKeysBuilder
	OrderBy(EncryptionKeyOrderByField, pagination.OrderBy) ListEncryptionKeysBuilder
	IncludeDeleted() ListEncryptionKeysBuilder
	ForLabelSelector(selector string) ListEncryptionKeysBuilder
}

type ListEncryptionKeysExecutor 

type ListEncryptionKeysExecutor interface {
	FetchPage(context.Context) pagination.PageResult[EncryptionKey]
	Enumerate(context.Context, func(pagination.PageResult[EncryptionKey]) (keepGoing pagination.KeepGoing, err error)) error
}

type ListNamespacesBuilder 

type ListNamespacesBuilder interface {
	ListNamespacesExecutor
	Limit(int32) ListNamespacesBuilder
	ForPathPrefix(path string) ListNamespacesBuilder
	ForDepth(depth uint64) ListNamespacesBuilder
	ForChildrenOf(path string) ListNamespacesBuilder
	ForNamespaceMatcher(matcher string) ListNamespacesBuilder
	ForNamespaceMatchers(matchers []string) ListNamespacesBuilder
	ForState(NamespaceState) ListNamespacesBuilder
	OrderBy(NamespaceOrderByField, pagination.OrderBy) ListNamespacesBuilder
	IncludeDeleted() ListNamespacesBuilder
	ForLabelSelector(selector string) ListNamespacesBuilder
}

type ListNamespacesExecutor 

type ListNamespacesExecutor interface {
	FetchPage(context.Context) pagination.PageResult[Namespace]
	Enumerate(context.Context, func(pagination.PageResult[Namespace]) (keepGoing pagination.KeepGoing, err error)) error
}

type Namespace 

type Namespace struct {
	Path string

	State           NamespaceState
	EncryptionKeyId *apid.ID
	Labels          Labels
	Annotations     Annotations
	CreatedAt       time.Time
	UpdatedAt       time.Time
	DeletedAt       *time.Time
	// contains filtered or unexported fields
}

Namespace is the grouping of resources within AuthProxy.

func (*Namespace) GetNamespace 

func (ns *Namespace) GetNamespace() string

func (*Namespace) Validate 

func (ns *Namespace) Validate() error

type NamespaceEncryptionTarget 

type NamespaceEncryptionTarget struct {
	Path                         string
	Depth                        uint64
	EncryptionKeyId              *apid.ID
	TargetEncryptionKeyVersionId *apid.ID
}

NamespaceEncryptionTarget holds the fields needed by the background job that computes and caches the target encryption key version for each namespace.

type NamespaceOrderByField 

type NamespaceOrderByField string
const (
	NamespaceOrderByPath      NamespaceOrderByField = "path"
	NamespaceOrderByState     NamespaceOrderByField = "state"
	NamespaceOrderByCreatedAt NamespaceOrderByField = "created_at"
	NamespaceOrderByUpdatedAt NamespaceOrderByField = "updated_at"
)

type NamespaceState 

type NamespaceState string
const (
	NamespaceStateActive     NamespaceState = "active"
	NamespaceStateDestroying NamespaceState = "destroying"
	NamespaceStateDestroyed  NamespaceState = "destroyed"
)

type NamespaceTargetEncryptionKeyVersionUpdate 

type NamespaceTargetEncryptionKeyVersionUpdate struct {
	Path                         string
	TargetEncryptionKeyVersionId apid.ID
}

NamespaceTargetEncryptionKeyVersionUpdate carries an update to set the target encryption key version for a specific namespace.

type OAuth2Token 

type OAuth2Token struct {
	Id                    apid.ID
	ConnectionId          apid.ID // Foreign key to Connection; not enforced by database
	RefreshedFromId       *apid.ID
	EncryptedRefreshToken encfield.EncryptedField
	EncryptedAccessToken  encfield.EncryptedField
	AccessTokenExpiresAt  *time.Time
	Scopes                string
	CreatedAt             time.Time
	EncryptedAt           *time.Time
	DeletedAt             *time.Time
}

func (*OAuth2Token) IsAccessTokenExpired 

func (t *OAuth2Token) IsAccessTokenExpired(ctx context.Context) bool

func (*OAuth2Token) Validate 

func (t *OAuth2Token) Validate() error

type OAuth2TokenWithConnection 

type OAuth2TokenWithConnection struct {
	Token      OAuth2Token
	Connection Connection
}

type Permissions 

type Permissions []aschema.Permission

Permissions is a custom type for a slice of permissions. The values are serlized to json.

func (*Permissions) Scan 

func (p *Permissions) Scan(value interface{}) error

Scan implements the sql.Scanner interface for Permissions

func (Permissions) Value 

func (p Permissions) Value() (driver.Value, error)

Value implements the driver.Valuer interface for Permissions

type ReEncryptedFieldUpdate 

type ReEncryptedFieldUpdate struct {
	Table            string
	PrimaryKeyCols   []string
	PrimaryKeyValues []any
	FieldColumn      string
	NewValue         encfield.EncryptedField
}

ReEncryptedFieldUpdate carries the data to update a single encrypted field after re-encryption.

type ReEncryptionTarget 

type ReEncryptionTarget struct {
	Table                        string
	PrimaryKeyCols               []string                // column names in PK order (from registration)
	PrimaryKeyValues             []any                   // values in PK column order
	FieldColumn                  string                  // which encrypted column
	EncryptedFieldValue          encfield.EncryptedField // current value (contains EKV ID)
	TargetEncryptionKeyVersionId apid.ID                 // what it should be
}

ReEncryptionTarget represents one encrypted field on one row that needs re-encryption.

type UpsertConnectorVersionResult 

type UpsertConnectorVersionResult struct {
	ConnectorVersion *ConnectorVersion
	State            ConnectorVersionState
	Version          uint64
}

type UsedNonce 

type UsedNonce struct {
	Id          apid.ID
	RetainUntil time.Time
	CreatedAt   time.Time
}

UsedNonce represents a onetime use value (UUID) that has already been used in the system and cannot be used again. When used outside the system, nonces should also use some sort of expiry mechanism such that when they are used there is a known time that they must be retained until so that the list of used nonces doesn't grow infinitely.

Source Files

View all Source files

Directories

Path Synopsis
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.