feat: Add Academy, Whistleblower, Incidents, Vendor, DSB, SSO, Reporting, Multi-Tenant and Industry backends

Go handlers, models, stores and migrations for all SDK modules. Updates developer portal navigation and BYOEH page. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 21:11:27 +01:00
parent 364d2c69ff
commit 504dd3591b
40 changed files with 13105 additions and 7 deletions
--- a/ai-compliance-sdk/internal/sso/models.go
+++ b/ai-compliance-sdk/internal/sso/models.go
@@ -0,0 +1,158 @@
+package sso
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+// ============================================================================
+// Constants / Enums
+// ============================================================================
+
+// ProviderType represents the SSO authentication protocol.
+type ProviderType string
+
+const (
+	// ProviderTypeOIDC represents OpenID Connect authentication.
+	ProviderTypeOIDC ProviderType = "oidc"
+	// ProviderTypeSAML represents SAML 2.0 authentication.
+	ProviderTypeSAML ProviderType = "saml"
+)
+
+// ============================================================================
+// Main Entities
+// ============================================================================
+
+// SSOConfig represents a per-tenant SSO provider configuration supporting
+// OIDC and SAML authentication protocols.
+type SSOConfig struct {
+	ID           uuid.UUID    `json:"id" db:"id"`
+	TenantID     uuid.UUID    `json:"tenant_id" db:"tenant_id"`
+	ProviderType ProviderType `json:"provider_type" db:"provider_type"`
+	Name         string       `json:"name" db:"name"`
+	Enabled      bool         `json:"enabled" db:"enabled"`
+
+	// OIDC settings
+	OIDCIssuerURL    string   `json:"oidc_issuer_url,omitempty" db:"oidc_issuer_url"`
+	OIDCClientID     string   `json:"oidc_client_id,omitempty" db:"oidc_client_id"`
+	OIDCClientSecret string   `json:"oidc_client_secret,omitempty" db:"oidc_client_secret"`
+	OIDCRedirectURI  string   `json:"oidc_redirect_uri,omitempty" db:"oidc_redirect_uri"`
+	OIDCScopes       []string `json:"oidc_scopes,omitempty" db:"oidc_scopes"`
+
+	// SAML settings (for future use)
+	SAMLEntityID    string `json:"saml_entity_id,omitempty" db:"saml_entity_id"`
+	SAMLSSOURL      string `json:"saml_sso_url,omitempty" db:"saml_sso_url"`
+	SAMLCertificate string `json:"saml_certificate,omitempty" db:"saml_certificate"`
+	SAMLACS_URL     string `json:"saml_acs_url,omitempty" db:"saml_acs_url"`
+
+	// Role mapping: maps SSO group/role names to internal role IDs
+	RoleMapping   map[string]string `json:"role_mapping" db:"role_mapping"`
+	DefaultRoleID *uuid.UUID        `json:"default_role_id,omitempty" db:"default_role_id"`
+	AutoProvision bool              `json:"auto_provision" db:"auto_provision"`
+
+	// Audit
+	CreatedAt time.Time `json:"created_at" db:"created_at"`
+	UpdatedAt time.Time `json:"updated_at" db:"updated_at"`
+}
+
+// SSOUser represents a JIT-provisioned user authenticated via an SSO provider.
+type SSOUser struct {
+	ID          uuid.UUID  `json:"id" db:"id"`
+	TenantID    uuid.UUID  `json:"tenant_id" db:"tenant_id"`
+	SSOConfigID uuid.UUID  `json:"sso_config_id" db:"sso_config_id"`
+	ExternalID  string     `json:"external_id" db:"external_id"`
+	Email       string     `json:"email" db:"email"`
+	DisplayName string     `json:"display_name" db:"display_name"`
+	Groups      []string   `json:"groups" db:"groups"`
+	LastLogin   *time.Time `json:"last_login,omitempty" db:"last_login"`
+	IsActive    bool       `json:"is_active" db:"is_active"`
+
+	// Audit
+	CreatedAt time.Time `json:"created_at" db:"created_at"`
+	UpdatedAt time.Time `json:"updated_at" db:"updated_at"`
+}
+
+// ============================================================================
+// API Request Types
+// ============================================================================
+
+// CreateSSOConfigRequest is the API request for creating an SSO configuration.
+type CreateSSOConfigRequest struct {
+	ProviderType     ProviderType      `json:"provider_type" binding:"required"`
+	Name             string            `json:"name" binding:"required"`
+	Enabled          bool              `json:"enabled"`
+	OIDCIssuerURL    string            `json:"oidc_issuer_url"`
+	OIDCClientID     string            `json:"oidc_client_id"`
+	OIDCClientSecret string            `json:"oidc_client_secret"`
+	OIDCRedirectURI  string            `json:"oidc_redirect_uri"`
+	OIDCScopes       []string          `json:"oidc_scopes"`
+	RoleMapping      map[string]string `json:"role_mapping"`
+	DefaultRoleID    *uuid.UUID        `json:"default_role_id"`
+	AutoProvision    bool              `json:"auto_provision"`
+}
+
+// UpdateSSOConfigRequest is the API request for partially updating an SSO
+// configuration. Pointer fields allow distinguishing between "not provided"
+// (nil) and "set to zero value".
+type UpdateSSOConfigRequest struct {
+	Name             *string            `json:"name"`
+	Enabled          *bool              `json:"enabled"`
+	OIDCIssuerURL    *string            `json:"oidc_issuer_url"`
+	OIDCClientID     *string            `json:"oidc_client_id"`
+	OIDCClientSecret *string            `json:"oidc_client_secret"`
+	OIDCRedirectURI  *string            `json:"oidc_redirect_uri"`
+	OIDCScopes       []string           `json:"oidc_scopes"`
+	RoleMapping      map[string]string  `json:"role_mapping"`
+	DefaultRoleID    *uuid.UUID         `json:"default_role_id"`
+	AutoProvision    *bool              `json:"auto_provision"`
+}
+
+// ============================================================================
+// JWT / Session Types
+// ============================================================================
+
+// SSOClaims holds the claims embedded in JWT tokens issued after successful
+// SSO authentication. These are used for downstream authorization decisions.
+type SSOClaims struct {
+	UserID      uuid.UUID `json:"user_id"`
+	TenantID    uuid.UUID `json:"tenant_id"`
+	Email       string    `json:"email"`
+	DisplayName string    `json:"display_name"`
+	Roles       []string  `json:"roles"`
+	SSOConfigID uuid.UUID `json:"sso_config_id"`
+}
+
+// ============================================================================
+// List / Filter Types
+// ============================================================================
+
+// SSOConfigFilters defines filters for listing SSO configurations.
+type SSOConfigFilters struct {
+	ProviderType ProviderType
+	Enabled      *bool
+	Search       string
+	Limit        int
+	Offset       int
+}
+
+// SSOUserFilters defines filters for listing SSO users.
+type SSOUserFilters struct {
+	SSOConfigID *uuid.UUID
+	Email       string
+	IsActive    *bool
+	Limit       int
+	Offset      int
+}
+
+// SSOConfigListResponse is the API response for listing SSO configurations.
+type SSOConfigListResponse struct {
+	Configs []SSOConfig `json:"configs"`
+	Total   int         `json:"total"`
+}
+
+// SSOUserListResponse is the API response for listing SSO users.
+type SSOUserListResponse struct {
+	Users []SSOUser `json:"users"`
+	Total int       `json:"total"`
+}