Fix: Remove broken getKlausurApiUrl and clean up empty lines
Some checks failed
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go-school (push) Successful in 42s
CI / test-go-edu-search (push) Successful in 34s
CI / test-python-klausur (push) Failing after 2m51s
CI / test-python-agent-core (push) Successful in 21s
CI / test-nodejs-website (push) Successful in 29s
Some checks failed
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go-school (push) Successful in 42s
CI / test-go-edu-search (push) Successful in 34s
CI / test-python-klausur (push) Failing after 2m51s
CI / test-python-agent-core (push) Successful in 21s
CI / test-nodejs-website (push) Successful in 29s
sed replacement left orphaned hostname references in story page and empty lines in getApiBase functions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
411
edu-search-service/internal/policy/store_audit.go
Normal file
411
edu-search-service/internal/policy/store_audit.go
Normal file
@@ -0,0 +1,411 @@
|
||||
package policy
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
// =============================================================================
|
||||
// AUDIT LOG
|
||||
// =============================================================================
|
||||
|
||||
// CreateAuditLog creates a new audit log entry.
|
||||
func (s *Store) CreateAuditLog(ctx context.Context, entry *PolicyAuditLog) error {
|
||||
entry.ID = uuid.New()
|
||||
entry.CreatedAt = time.Now()
|
||||
|
||||
query := `
|
||||
INSERT INTO policy_audit_log (id, action, entity_type, entity_id, old_value, new_value,
|
||||
user_id, user_email, ip_address, user_agent, created_at)
|
||||
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)`
|
||||
|
||||
_, err := s.pool.Exec(ctx, query,
|
||||
entry.ID, entry.Action, entry.EntityType, entry.EntityID,
|
||||
entry.OldValue, entry.NewValue, entry.UserID, entry.UserEmail,
|
||||
entry.IPAddress, entry.UserAgent, entry.CreatedAt,
|
||||
)
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create audit log: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// ListAuditLogs retrieves audit logs with filters.
|
||||
func (s *Store) ListAuditLogs(ctx context.Context, filter *AuditLogFilter) ([]PolicyAuditLog, int, error) {
|
||||
baseQuery := `FROM policy_audit_log WHERE 1=1`
|
||||
args := []interface{}{}
|
||||
argCount := 0
|
||||
|
||||
if filter.EntityType != nil {
|
||||
argCount++
|
||||
baseQuery += fmt.Sprintf(" AND entity_type = $%d", argCount)
|
||||
args = append(args, *filter.EntityType)
|
||||
}
|
||||
|
||||
if filter.EntityID != nil {
|
||||
argCount++
|
||||
baseQuery += fmt.Sprintf(" AND entity_id = $%d", argCount)
|
||||
args = append(args, *filter.EntityID)
|
||||
}
|
||||
|
||||
if filter.Action != nil {
|
||||
argCount++
|
||||
baseQuery += fmt.Sprintf(" AND action = $%d", argCount)
|
||||
args = append(args, *filter.Action)
|
||||
}
|
||||
|
||||
if filter.UserEmail != nil {
|
||||
argCount++
|
||||
baseQuery += fmt.Sprintf(" AND user_email ILIKE $%d", argCount)
|
||||
args = append(args, "%"+*filter.UserEmail+"%")
|
||||
}
|
||||
|
||||
if filter.FromDate != nil {
|
||||
argCount++
|
||||
baseQuery += fmt.Sprintf(" AND created_at >= $%d", argCount)
|
||||
args = append(args, *filter.FromDate)
|
||||
}
|
||||
|
||||
if filter.ToDate != nil {
|
||||
argCount++
|
||||
baseQuery += fmt.Sprintf(" AND created_at <= $%d", argCount)
|
||||
args = append(args, *filter.ToDate)
|
||||
}
|
||||
|
||||
// Count query
|
||||
var total int
|
||||
countQuery := "SELECT COUNT(*) " + baseQuery
|
||||
err := s.pool.QueryRow(ctx, countQuery, args...).Scan(&total)
|
||||
if err != nil {
|
||||
return nil, 0, fmt.Errorf("failed to count audit logs: %w", err)
|
||||
}
|
||||
|
||||
// Data query
|
||||
dataQuery := `SELECT id, action, entity_type, entity_id, old_value, new_value,
|
||||
user_id, user_email, ip_address, user_agent, created_at ` + baseQuery +
|
||||
` ORDER BY created_at DESC`
|
||||
|
||||
if filter.Limit > 0 {
|
||||
argCount++
|
||||
dataQuery += fmt.Sprintf(" LIMIT $%d", argCount)
|
||||
args = append(args, filter.Limit)
|
||||
}
|
||||
if filter.Offset > 0 {
|
||||
argCount++
|
||||
dataQuery += fmt.Sprintf(" OFFSET $%d", argCount)
|
||||
args = append(args, filter.Offset)
|
||||
}
|
||||
|
||||
rows, err := s.pool.Query(ctx, dataQuery, args...)
|
||||
if err != nil {
|
||||
return nil, 0, fmt.Errorf("failed to list audit logs: %w", err)
|
||||
}
|
||||
defer rows.Close()
|
||||
|
||||
logs := []PolicyAuditLog{}
|
||||
for rows.Next() {
|
||||
var l PolicyAuditLog
|
||||
err := rows.Scan(
|
||||
&l.ID, &l.Action, &l.EntityType, &l.EntityID, &l.OldValue, &l.NewValue,
|
||||
&l.UserID, &l.UserEmail, &l.IPAddress, &l.UserAgent, &l.CreatedAt,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, 0, fmt.Errorf("failed to scan audit log: %w", err)
|
||||
}
|
||||
logs = append(logs, l)
|
||||
}
|
||||
|
||||
return logs, total, nil
|
||||
}
|
||||
|
||||
// =============================================================================
|
||||
// BLOCKED CONTENT LOG
|
||||
// =============================================================================
|
||||
|
||||
// CreateBlockedContentLog creates a new blocked content log entry.
|
||||
func (s *Store) CreateBlockedContentLog(ctx context.Context, entry *BlockedContentLog) error {
|
||||
entry.ID = uuid.New()
|
||||
entry.CreatedAt = time.Now()
|
||||
|
||||
query := `
|
||||
INSERT INTO blocked_content_log (id, url, domain, block_reason, matched_rule_id, details, created_at)
|
||||
VALUES ($1, $2, $3, $4, $5, $6, $7)`
|
||||
|
||||
_, err := s.pool.Exec(ctx, query,
|
||||
entry.ID, entry.URL, entry.Domain, entry.BlockReason,
|
||||
entry.MatchedRuleID, entry.Details, entry.CreatedAt,
|
||||
)
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create blocked content log: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// ListBlockedContent retrieves blocked content logs with filters.
|
||||
func (s *Store) ListBlockedContent(ctx context.Context, filter *BlockedContentFilter) ([]BlockedContentLog, int, error) {
|
||||
baseQuery := `FROM blocked_content_log WHERE 1=1`
|
||||
args := []interface{}{}
|
||||
argCount := 0
|
||||
|
||||
if filter.Domain != nil {
|
||||
argCount++
|
||||
baseQuery += fmt.Sprintf(" AND domain ILIKE $%d", argCount)
|
||||
args = append(args, "%"+*filter.Domain+"%")
|
||||
}
|
||||
|
||||
if filter.BlockReason != nil {
|
||||
argCount++
|
||||
baseQuery += fmt.Sprintf(" AND block_reason = $%d", argCount)
|
||||
args = append(args, *filter.BlockReason)
|
||||
}
|
||||
|
||||
if filter.FromDate != nil {
|
||||
argCount++
|
||||
baseQuery += fmt.Sprintf(" AND created_at >= $%d", argCount)
|
||||
args = append(args, *filter.FromDate)
|
||||
}
|
||||
|
||||
if filter.ToDate != nil {
|
||||
argCount++
|
||||
baseQuery += fmt.Sprintf(" AND created_at <= $%d", argCount)
|
||||
args = append(args, *filter.ToDate)
|
||||
}
|
||||
|
||||
// Count query
|
||||
var total int
|
||||
countQuery := "SELECT COUNT(*) " + baseQuery
|
||||
err := s.pool.QueryRow(ctx, countQuery, args...).Scan(&total)
|
||||
if err != nil {
|
||||
return nil, 0, fmt.Errorf("failed to count blocked content: %w", err)
|
||||
}
|
||||
|
||||
// Data query
|
||||
dataQuery := `SELECT id, url, domain, block_reason, matched_rule_id, details, created_at ` + baseQuery +
|
||||
` ORDER BY created_at DESC`
|
||||
|
||||
if filter.Limit > 0 {
|
||||
argCount++
|
||||
dataQuery += fmt.Sprintf(" LIMIT $%d", argCount)
|
||||
args = append(args, filter.Limit)
|
||||
}
|
||||
if filter.Offset > 0 {
|
||||
argCount++
|
||||
dataQuery += fmt.Sprintf(" OFFSET $%d", argCount)
|
||||
args = append(args, filter.Offset)
|
||||
}
|
||||
|
||||
rows, err := s.pool.Query(ctx, dataQuery, args...)
|
||||
if err != nil {
|
||||
return nil, 0, fmt.Errorf("failed to list blocked content: %w", err)
|
||||
}
|
||||
defer rows.Close()
|
||||
|
||||
logs := []BlockedContentLog{}
|
||||
for rows.Next() {
|
||||
var l BlockedContentLog
|
||||
err := rows.Scan(
|
||||
&l.ID, &l.URL, &l.Domain, &l.BlockReason,
|
||||
&l.MatchedRuleID, &l.Details, &l.CreatedAt,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, 0, fmt.Errorf("failed to scan blocked content: %w", err)
|
||||
}
|
||||
logs = append(logs, l)
|
||||
}
|
||||
|
||||
return logs, total, nil
|
||||
}
|
||||
|
||||
// =============================================================================
|
||||
// STATISTICS
|
||||
// =============================================================================
|
||||
|
||||
// GetStats retrieves aggregated statistics for the policy system.
|
||||
func (s *Store) GetStats(ctx context.Context) (*PolicyStats, error) {
|
||||
stats := &PolicyStats{
|
||||
SourcesByLicense: make(map[string]int),
|
||||
BlocksByReason: make(map[string]int),
|
||||
}
|
||||
|
||||
// Active policies
|
||||
err := s.pool.QueryRow(ctx, `SELECT COUNT(*) FROM source_policies WHERE is_active = true`).Scan(&stats.ActivePolicies)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to count active policies: %w", err)
|
||||
}
|
||||
|
||||
// Total sources
|
||||
err = s.pool.QueryRow(ctx, `SELECT COUNT(*) FROM allowed_sources`).Scan(&stats.TotalSources)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to count total sources: %w", err)
|
||||
}
|
||||
|
||||
// Active sources
|
||||
err = s.pool.QueryRow(ctx, `SELECT COUNT(*) FROM allowed_sources WHERE is_active = true`).Scan(&stats.ActiveSources)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to count active sources: %w", err)
|
||||
}
|
||||
|
||||
// Blocked today
|
||||
err = s.pool.QueryRow(ctx, `SELECT COUNT(*) FROM blocked_content_log WHERE created_at >= CURRENT_DATE`).Scan(&stats.BlockedToday)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to count blocked today: %w", err)
|
||||
}
|
||||
|
||||
// Blocked total
|
||||
err = s.pool.QueryRow(ctx, `SELECT COUNT(*) FROM blocked_content_log`).Scan(&stats.BlockedTotal)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to count blocked total: %w", err)
|
||||
}
|
||||
|
||||
// Active PII rules
|
||||
err = s.pool.QueryRow(ctx, `SELECT COUNT(*) FROM pii_rules WHERE is_active = true`).Scan(&stats.PIIRulesActive)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to count active PII rules: %w", err)
|
||||
}
|
||||
|
||||
// Sources by license
|
||||
rows, err := s.pool.Query(ctx, `SELECT license, COUNT(*) FROM allowed_sources GROUP BY license`)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to count sources by license: %w", err)
|
||||
}
|
||||
defer rows.Close()
|
||||
for rows.Next() {
|
||||
var license string
|
||||
var count int
|
||||
if err := rows.Scan(&license, &count); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
stats.SourcesByLicense[license] = count
|
||||
}
|
||||
|
||||
// Blocks by reason
|
||||
rows, err = s.pool.Query(ctx, `SELECT block_reason, COUNT(*) FROM blocked_content_log GROUP BY block_reason`)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to count blocks by reason: %w", err)
|
||||
}
|
||||
defer rows.Close()
|
||||
for rows.Next() {
|
||||
var reason string
|
||||
var count int
|
||||
if err := rows.Scan(&reason, &count); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
stats.BlocksByReason[reason] = count
|
||||
}
|
||||
|
||||
// Compliance score (simplified: active sources / total sources)
|
||||
if stats.TotalSources > 0 {
|
||||
stats.ComplianceScore = float64(stats.ActiveSources) / float64(stats.TotalSources) * 100
|
||||
}
|
||||
|
||||
return stats, nil
|
||||
}
|
||||
|
||||
// =============================================================================
|
||||
// YAML LOADER
|
||||
// =============================================================================
|
||||
|
||||
// LoadFromYAML loads initial policy data from YAML configuration.
|
||||
func (s *Store) LoadFromYAML(ctx context.Context, config *BundeslaenderConfig) error {
|
||||
// Load federal policy
|
||||
if config.Federal.Name != "" {
|
||||
err := s.loadPolicy(ctx, nil, &config.Federal, &config.DefaultOperations)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to load federal policy: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
// Load Bundesland policies
|
||||
for code, policyConfig := range config.Bundeslaender {
|
||||
if code == "federal" || code == "default_operations" || code == "pii_rules" {
|
||||
continue
|
||||
}
|
||||
bl := Bundesland(code)
|
||||
err := s.loadPolicy(ctx, &bl, &policyConfig, &config.DefaultOperations)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to load policy for %s: %w", code, err)
|
||||
}
|
||||
}
|
||||
|
||||
// Load PII rules
|
||||
for _, ruleConfig := range config.PIIRules {
|
||||
err := s.loadPIIRule(ctx, &ruleConfig)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to load PII rule %s: %w", ruleConfig.Name, err)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (s *Store) loadPolicy(ctx context.Context, bundesland *Bundesland, config *PolicyConfig, ops *OperationsConfig) error {
|
||||
// Create policy
|
||||
policy, err := s.CreatePolicy(ctx, &CreateSourcePolicyRequest{
|
||||
Name: config.Name,
|
||||
Bundesland: bundesland,
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Create sources
|
||||
for _, srcConfig := range config.Sources {
|
||||
trustBoost := 0.5
|
||||
if srcConfig.TrustBoost > 0 {
|
||||
trustBoost = srcConfig.TrustBoost
|
||||
}
|
||||
|
||||
var legalBasis, citation *string
|
||||
if srcConfig.LegalBasis != "" {
|
||||
legalBasis = &srcConfig.LegalBasis
|
||||
}
|
||||
if srcConfig.CitationTemplate != "" {
|
||||
citation = &srcConfig.CitationTemplate
|
||||
}
|
||||
|
||||
_, err := s.CreateSource(ctx, &CreateAllowedSourceRequest{
|
||||
PolicyID: policy.ID,
|
||||
Domain: srcConfig.Domain,
|
||||
Name: srcConfig.Name,
|
||||
License: License(srcConfig.License),
|
||||
LegalBasis: legalBasis,
|
||||
CitationTemplate: citation,
|
||||
TrustBoost: &trustBoost,
|
||||
})
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create source %s: %w", srcConfig.Domain, err)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (s *Store) loadPIIRule(ctx context.Context, config *PIIRuleConfig) error {
|
||||
severity := PIISeverityBlock
|
||||
if config.Severity != "" {
|
||||
severity = PIISeverity(config.Severity)
|
||||
}
|
||||
|
||||
_, err := s.CreatePIIRule(ctx, &CreatePIIRuleRequest{
|
||||
Name: config.Name,
|
||||
RuleType: PIIRuleType(config.Type),
|
||||
Pattern: config.Pattern,
|
||||
Severity: severity,
|
||||
})
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
// ToJSON converts an entity to JSON for audit logging.
|
||||
func ToJSON(v interface{}) json.RawMessage {
|
||||
data, _ := json.Marshal(v)
|
||||
return data
|
||||
}
|
||||
Reference in New Issue
Block a user