breakpilot-compliance/ai-compliance-sdk/internal/sso/models.go

package sso

import (
	"time"

	"github.com/google/uuid"
)

// ============================================================================
// Constants / Enums
// ============================================================================

// ProviderType represents the SSO authentication protocol.
type ProviderType string

const (
	// ProviderTypeOIDC represents OpenID Connect authentication.
	ProviderTypeOIDC ProviderType = "oidc"
	// ProviderTypeSAML represents SAML 2.0 authentication.
	ProviderTypeSAML ProviderType = "saml"
)

// ============================================================================
// Main Entities
// ============================================================================

// SSOConfig represents a per-tenant SSO provider configuration supporting
// OIDC and SAML authentication protocols.
type SSOConfig struct {
	ID           uuid.UUID    `json:"id" db:"id"`
	TenantID     uuid.UUID    `json:"tenant_id" db:"tenant_id"`
	ProviderType ProviderType `json:"provider_type" db:"provider_type"`
	Name         string       `json:"name" db:"name"`
	Enabled      bool         `json:"enabled" db:"enabled"`

	// OIDC settings
	OIDCIssuerURL    string   `json:"oidc_issuer_url,omitempty" db:"oidc_issuer_url"`
	OIDCClientID     string   `json:"oidc_client_id,omitempty" db:"oidc_client_id"`
	OIDCClientSecret string   `json:"oidc_client_secret,omitempty" db:"oidc_client_secret"`
	OIDCRedirectURI  string   `json:"oidc_redirect_uri,omitempty" db:"oidc_redirect_uri"`
	OIDCScopes       []string `json:"oidc_scopes,omitempty" db:"oidc_scopes"`

	// SAML settings (for future use)
	SAMLEntityID    string `json:"saml_entity_id,omitempty" db:"saml_entity_id"`
	SAMLSSOURL      string `json:"saml_sso_url,omitempty" db:"saml_sso_url"`
	SAMLCertificate string `json:"saml_certificate,omitempty" db:"saml_certificate"`
	SAMLACS_URL     string `json:"saml_acs_url,omitempty" db:"saml_acs_url"`

	// Role mapping: maps SSO group/role names to internal role IDs
	RoleMapping   map[string]string `json:"role_mapping" db:"role_mapping"`
	DefaultRoleID *uuid.UUID        `json:"default_role_id,omitempty" db:"default_role_id"`
	AutoProvision bool              `json:"auto_provision" db:"auto_provision"`

	// Audit
	CreatedAt time.Time `json:"created_at" db:"created_at"`
	UpdatedAt time.Time `json:"updated_at" db:"updated_at"`
}

// SSOUser represents a JIT-provisioned user authenticated via an SSO provider.
type SSOUser struct {
	ID          uuid.UUID  `json:"id" db:"id"`
	TenantID    uuid.UUID  `json:"tenant_id" db:"tenant_id"`
	SSOConfigID uuid.UUID  `json:"sso_config_id" db:"sso_config_id"`
	ExternalID  string     `json:"external_id" db:"external_id"`
	Email       string     `json:"email" db:"email"`
	DisplayName string     `json:"display_name" db:"display_name"`
	Groups      []string   `json:"groups" db:"groups"`
	LastLogin   *time.Time `json:"last_login,omitempty" db:"last_login"`
	IsActive    bool       `json:"is_active" db:"is_active"`

	// Audit
	CreatedAt time.Time `json:"created_at" db:"created_at"`
	UpdatedAt time.Time `json:"updated_at" db:"updated_at"`
}

// ============================================================================
// API Request Types
// ============================================================================

// CreateSSOConfigRequest is the API request for creating an SSO configuration.
type CreateSSOConfigRequest struct {
	ProviderType     ProviderType      `json:"provider_type" binding:"required"`
	Name             string            `json:"name" binding:"required"`
	Enabled          bool              `json:"enabled"`
	OIDCIssuerURL    string            `json:"oidc_issuer_url"`
	OIDCClientID     string            `json:"oidc_client_id"`
	OIDCClientSecret string            `json:"oidc_client_secret"`
	OIDCRedirectURI  string            `json:"oidc_redirect_uri"`
	OIDCScopes       []string          `json:"oidc_scopes"`
	RoleMapping      map[string]string `json:"role_mapping"`
	DefaultRoleID    *uuid.UUID        `json:"default_role_id"`
	AutoProvision    bool              `json:"auto_provision"`
}

// UpdateSSOConfigRequest is the API request for partially updating an SSO
// configuration. Pointer fields allow distinguishing between "not provided"
// (nil) and "set to zero value".
type UpdateSSOConfigRequest struct {
	Name             *string            `json:"name"`
	Enabled          *bool              `json:"enabled"`
	OIDCIssuerURL    *string            `json:"oidc_issuer_url"`
	OIDCClientID     *string            `json:"oidc_client_id"`
	OIDCClientSecret *string            `json:"oidc_client_secret"`
	OIDCRedirectURI  *string            `json:"oidc_redirect_uri"`
	OIDCScopes       []string           `json:"oidc_scopes"`
	RoleMapping      map[string]string  `json:"role_mapping"`
	DefaultRoleID    *uuid.UUID         `json:"default_role_id"`
	AutoProvision    *bool              `json:"auto_provision"`
}

// ============================================================================
// JWT / Session Types
// ============================================================================

// SSOClaims holds the claims embedded in JWT tokens issued after successful
// SSO authentication. These are used for downstream authorization decisions.
type SSOClaims struct {
	UserID      uuid.UUID `json:"user_id"`
	TenantID    uuid.UUID `json:"tenant_id"`
	Email       string    `json:"email"`
	DisplayName string    `json:"display_name"`
	Roles       []string  `json:"roles"`
	SSOConfigID uuid.UUID `json:"sso_config_id"`
}

// ============================================================================
// List / Filter Types
// ============================================================================

// SSOConfigFilters defines filters for listing SSO configurations.
type SSOConfigFilters struct {
	ProviderType ProviderType
	Enabled      *bool
	Search       string
	Limit        int
	Offset       int
}

// SSOUserFilters defines filters for listing SSO users.
type SSOUserFilters struct {
	SSOConfigID *uuid.UUID
	Email       string
	IsActive    *bool
	Limit       int
	Offset      int
}

// SSOConfigListResponse is the API response for listing SSO configurations.
type SSOConfigListResponse struct {
	Configs []SSOConfig `json:"configs"`
	Total   int         `json:"total"`
}

// SSOUserListResponse is the API response for listing SSO users.
type SSOUserListResponse struct {
	Users []SSOUser `json:"users"`
	Total int       `json:"total"`
}