9ba420fa91
Some checks failed
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go-school (push) Successful in 42s
CI / test-go-edu-search (push) Successful in 34s
CI / test-python-klausur (push) Failing after 2m51s
CI / test-python-agent-core (push) Successful in 21s
CI / test-nodejs-website (push) Successful in 29s
sed replacement left orphaned hostname references in story page and empty lines in getApiBase functions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
412 lines
12 KiB
Go
412 lines
12 KiB
Go
package policy
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/google/uuid"
|
|
)
|
|
|
|
// =============================================================================
|
|
// AUDIT LOG
|
|
// =============================================================================
|
|
|
|
// CreateAuditLog creates a new audit log entry.
|
|
func (s *Store) CreateAuditLog(ctx context.Context, entry *PolicyAuditLog) error {
|
|
entry.ID = uuid.New()
|
|
entry.CreatedAt = time.Now()
|
|
|
|
query := `
|
|
INSERT INTO policy_audit_log (id, action, entity_type, entity_id, old_value, new_value,
|
|
user_id, user_email, ip_address, user_agent, created_at)
|
|
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)`
|
|
|
|
_, err := s.pool.Exec(ctx, query,
|
|
entry.ID, entry.Action, entry.EntityType, entry.EntityID,
|
|
entry.OldValue, entry.NewValue, entry.UserID, entry.UserEmail,
|
|
entry.IPAddress, entry.UserAgent, entry.CreatedAt,
|
|
)
|
|
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create audit log: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// ListAuditLogs retrieves audit logs with filters.
|
|
func (s *Store) ListAuditLogs(ctx context.Context, filter *AuditLogFilter) ([]PolicyAuditLog, int, error) {
|
|
baseQuery := `FROM policy_audit_log WHERE 1=1`
|
|
args := []interface{}{}
|
|
argCount := 0
|
|
|
|
if filter.EntityType != nil {
|
|
argCount++
|
|
baseQuery += fmt.Sprintf(" AND entity_type = $%d", argCount)
|
|
args = append(args, *filter.EntityType)
|
|
}
|
|
|
|
if filter.EntityID != nil {
|
|
argCount++
|
|
baseQuery += fmt.Sprintf(" AND entity_id = $%d", argCount)
|
|
args = append(args, *filter.EntityID)
|
|
}
|
|
|
|
if filter.Action != nil {
|
|
argCount++
|
|
baseQuery += fmt.Sprintf(" AND action = $%d", argCount)
|
|
args = append(args, *filter.Action)
|
|
}
|
|
|
|
if filter.UserEmail != nil {
|
|
argCount++
|
|
baseQuery += fmt.Sprintf(" AND user_email ILIKE $%d", argCount)
|
|
args = append(args, "%"+*filter.UserEmail+"%")
|
|
}
|
|
|
|
if filter.FromDate != nil {
|
|
argCount++
|
|
baseQuery += fmt.Sprintf(" AND created_at >= $%d", argCount)
|
|
args = append(args, *filter.FromDate)
|
|
}
|
|
|
|
if filter.ToDate != nil {
|
|
argCount++
|
|
baseQuery += fmt.Sprintf(" AND created_at <= $%d", argCount)
|
|
args = append(args, *filter.ToDate)
|
|
}
|
|
|
|
// Count query
|
|
var total int
|
|
countQuery := "SELECT COUNT(*) " + baseQuery
|
|
err := s.pool.QueryRow(ctx, countQuery, args...).Scan(&total)
|
|
if err != nil {
|
|
return nil, 0, fmt.Errorf("failed to count audit logs: %w", err)
|
|
}
|
|
|
|
// Data query
|
|
dataQuery := `SELECT id, action, entity_type, entity_id, old_value, new_value,
|
|
user_id, user_email, ip_address, user_agent, created_at ` + baseQuery +
|
|
` ORDER BY created_at DESC`
|
|
|
|
if filter.Limit > 0 {
|
|
argCount++
|
|
dataQuery += fmt.Sprintf(" LIMIT $%d", argCount)
|
|
args = append(args, filter.Limit)
|
|
}
|
|
if filter.Offset > 0 {
|
|
argCount++
|
|
dataQuery += fmt.Sprintf(" OFFSET $%d", argCount)
|
|
args = append(args, filter.Offset)
|
|
}
|
|
|
|
rows, err := s.pool.Query(ctx, dataQuery, args...)
|
|
if err != nil {
|
|
return nil, 0, fmt.Errorf("failed to list audit logs: %w", err)
|
|
}
|
|
defer rows.Close()
|
|
|
|
logs := []PolicyAuditLog{}
|
|
for rows.Next() {
|
|
var l PolicyAuditLog
|
|
err := rows.Scan(
|
|
&l.ID, &l.Action, &l.EntityType, &l.EntityID, &l.OldValue, &l.NewValue,
|
|
&l.UserID, &l.UserEmail, &l.IPAddress, &l.UserAgent, &l.CreatedAt,
|
|
)
|
|
if err != nil {
|
|
return nil, 0, fmt.Errorf("failed to scan audit log: %w", err)
|
|
}
|
|
logs = append(logs, l)
|
|
}
|
|
|
|
return logs, total, nil
|
|
}
|
|
|
|
// =============================================================================
|
|
// BLOCKED CONTENT LOG
|
|
// =============================================================================
|
|
|
|
// CreateBlockedContentLog creates a new blocked content log entry.
|
|
func (s *Store) CreateBlockedContentLog(ctx context.Context, entry *BlockedContentLog) error {
|
|
entry.ID = uuid.New()
|
|
entry.CreatedAt = time.Now()
|
|
|
|
query := `
|
|
INSERT INTO blocked_content_log (id, url, domain, block_reason, matched_rule_id, details, created_at)
|
|
VALUES ($1, $2, $3, $4, $5, $6, $7)`
|
|
|
|
_, err := s.pool.Exec(ctx, query,
|
|
entry.ID, entry.URL, entry.Domain, entry.BlockReason,
|
|
entry.MatchedRuleID, entry.Details, entry.CreatedAt,
|
|
)
|
|
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create blocked content log: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// ListBlockedContent retrieves blocked content logs with filters.
|
|
func (s *Store) ListBlockedContent(ctx context.Context, filter *BlockedContentFilter) ([]BlockedContentLog, int, error) {
|
|
baseQuery := `FROM blocked_content_log WHERE 1=1`
|
|
args := []interface{}{}
|
|
argCount := 0
|
|
|
|
if filter.Domain != nil {
|
|
argCount++
|
|
baseQuery += fmt.Sprintf(" AND domain ILIKE $%d", argCount)
|
|
args = append(args, "%"+*filter.Domain+"%")
|
|
}
|
|
|
|
if filter.BlockReason != nil {
|
|
argCount++
|
|
baseQuery += fmt.Sprintf(" AND block_reason = $%d", argCount)
|
|
args = append(args, *filter.BlockReason)
|
|
}
|
|
|
|
if filter.FromDate != nil {
|
|
argCount++
|
|
baseQuery += fmt.Sprintf(" AND created_at >= $%d", argCount)
|
|
args = append(args, *filter.FromDate)
|
|
}
|
|
|
|
if filter.ToDate != nil {
|
|
argCount++
|
|
baseQuery += fmt.Sprintf(" AND created_at <= $%d", argCount)
|
|
args = append(args, *filter.ToDate)
|
|
}
|
|
|
|
// Count query
|
|
var total int
|
|
countQuery := "SELECT COUNT(*) " + baseQuery
|
|
err := s.pool.QueryRow(ctx, countQuery, args...).Scan(&total)
|
|
if err != nil {
|
|
return nil, 0, fmt.Errorf("failed to count blocked content: %w", err)
|
|
}
|
|
|
|
// Data query
|
|
dataQuery := `SELECT id, url, domain, block_reason, matched_rule_id, details, created_at ` + baseQuery +
|
|
` ORDER BY created_at DESC`
|
|
|
|
if filter.Limit > 0 {
|
|
argCount++
|
|
dataQuery += fmt.Sprintf(" LIMIT $%d", argCount)
|
|
args = append(args, filter.Limit)
|
|
}
|
|
if filter.Offset > 0 {
|
|
argCount++
|
|
dataQuery += fmt.Sprintf(" OFFSET $%d", argCount)
|
|
args = append(args, filter.Offset)
|
|
}
|
|
|
|
rows, err := s.pool.Query(ctx, dataQuery, args...)
|
|
if err != nil {
|
|
return nil, 0, fmt.Errorf("failed to list blocked content: %w", err)
|
|
}
|
|
defer rows.Close()
|
|
|
|
logs := []BlockedContentLog{}
|
|
for rows.Next() {
|
|
var l BlockedContentLog
|
|
err := rows.Scan(
|
|
&l.ID, &l.URL, &l.Domain, &l.BlockReason,
|
|
&l.MatchedRuleID, &l.Details, &l.CreatedAt,
|
|
)
|
|
if err != nil {
|
|
return nil, 0, fmt.Errorf("failed to scan blocked content: %w", err)
|
|
}
|
|
logs = append(logs, l)
|
|
}
|
|
|
|
return logs, total, nil
|
|
}
|
|
|
|
// =============================================================================
|
|
// STATISTICS
|
|
// =============================================================================
|
|
|
|
// GetStats retrieves aggregated statistics for the policy system.
|
|
func (s *Store) GetStats(ctx context.Context) (*PolicyStats, error) {
|
|
stats := &PolicyStats{
|
|
SourcesByLicense: make(map[string]int),
|
|
BlocksByReason: make(map[string]int),
|
|
}
|
|
|
|
// Active policies
|
|
err := s.pool.QueryRow(ctx, `SELECT COUNT(*) FROM source_policies WHERE is_active = true`).Scan(&stats.ActivePolicies)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to count active policies: %w", err)
|
|
}
|
|
|
|
// Total sources
|
|
err = s.pool.QueryRow(ctx, `SELECT COUNT(*) FROM allowed_sources`).Scan(&stats.TotalSources)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to count total sources: %w", err)
|
|
}
|
|
|
|
// Active sources
|
|
err = s.pool.QueryRow(ctx, `SELECT COUNT(*) FROM allowed_sources WHERE is_active = true`).Scan(&stats.ActiveSources)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to count active sources: %w", err)
|
|
}
|
|
|
|
// Blocked today
|
|
err = s.pool.QueryRow(ctx, `SELECT COUNT(*) FROM blocked_content_log WHERE created_at >= CURRENT_DATE`).Scan(&stats.BlockedToday)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to count blocked today: %w", err)
|
|
}
|
|
|
|
// Blocked total
|
|
err = s.pool.QueryRow(ctx, `SELECT COUNT(*) FROM blocked_content_log`).Scan(&stats.BlockedTotal)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to count blocked total: %w", err)
|
|
}
|
|
|
|
// Active PII rules
|
|
err = s.pool.QueryRow(ctx, `SELECT COUNT(*) FROM pii_rules WHERE is_active = true`).Scan(&stats.PIIRulesActive)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to count active PII rules: %w", err)
|
|
}
|
|
|
|
// Sources by license
|
|
rows, err := s.pool.Query(ctx, `SELECT license, COUNT(*) FROM allowed_sources GROUP BY license`)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to count sources by license: %w", err)
|
|
}
|
|
defer rows.Close()
|
|
for rows.Next() {
|
|
var license string
|
|
var count int
|
|
if err := rows.Scan(&license, &count); err != nil {
|
|
return nil, err
|
|
}
|
|
stats.SourcesByLicense[license] = count
|
|
}
|
|
|
|
// Blocks by reason
|
|
rows, err = s.pool.Query(ctx, `SELECT block_reason, COUNT(*) FROM blocked_content_log GROUP BY block_reason`)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to count blocks by reason: %w", err)
|
|
}
|
|
defer rows.Close()
|
|
for rows.Next() {
|
|
var reason string
|
|
var count int
|
|
if err := rows.Scan(&reason, &count); err != nil {
|
|
return nil, err
|
|
}
|
|
stats.BlocksByReason[reason] = count
|
|
}
|
|
|
|
// Compliance score (simplified: active sources / total sources)
|
|
if stats.TotalSources > 0 {
|
|
stats.ComplianceScore = float64(stats.ActiveSources) / float64(stats.TotalSources) * 100
|
|
}
|
|
|
|
return stats, nil
|
|
}
|
|
|
|
// =============================================================================
|
|
// YAML LOADER
|
|
// =============================================================================
|
|
|
|
// LoadFromYAML loads initial policy data from YAML configuration.
|
|
func (s *Store) LoadFromYAML(ctx context.Context, config *BundeslaenderConfig) error {
|
|
// Load federal policy
|
|
if config.Federal.Name != "" {
|
|
err := s.loadPolicy(ctx, nil, &config.Federal, &config.DefaultOperations)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to load federal policy: %w", err)
|
|
}
|
|
}
|
|
|
|
// Load Bundesland policies
|
|
for code, policyConfig := range config.Bundeslaender {
|
|
if code == "federal" || code == "default_operations" || code == "pii_rules" {
|
|
continue
|
|
}
|
|
bl := Bundesland(code)
|
|
err := s.loadPolicy(ctx, &bl, &policyConfig, &config.DefaultOperations)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to load policy for %s: %w", code, err)
|
|
}
|
|
}
|
|
|
|
// Load PII rules
|
|
for _, ruleConfig := range config.PIIRules {
|
|
err := s.loadPIIRule(ctx, &ruleConfig)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to load PII rule %s: %w", ruleConfig.Name, err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (s *Store) loadPolicy(ctx context.Context, bundesland *Bundesland, config *PolicyConfig, ops *OperationsConfig) error {
|
|
// Create policy
|
|
policy, err := s.CreatePolicy(ctx, &CreateSourcePolicyRequest{
|
|
Name: config.Name,
|
|
Bundesland: bundesland,
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Create sources
|
|
for _, srcConfig := range config.Sources {
|
|
trustBoost := 0.5
|
|
if srcConfig.TrustBoost > 0 {
|
|
trustBoost = srcConfig.TrustBoost
|
|
}
|
|
|
|
var legalBasis, citation *string
|
|
if srcConfig.LegalBasis != "" {
|
|
legalBasis = &srcConfig.LegalBasis
|
|
}
|
|
if srcConfig.CitationTemplate != "" {
|
|
citation = &srcConfig.CitationTemplate
|
|
}
|
|
|
|
_, err := s.CreateSource(ctx, &CreateAllowedSourceRequest{
|
|
PolicyID: policy.ID,
|
|
Domain: srcConfig.Domain,
|
|
Name: srcConfig.Name,
|
|
License: License(srcConfig.License),
|
|
LegalBasis: legalBasis,
|
|
CitationTemplate: citation,
|
|
TrustBoost: &trustBoost,
|
|
})
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create source %s: %w", srcConfig.Domain, err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (s *Store) loadPIIRule(ctx context.Context, config *PIIRuleConfig) error {
|
|
severity := PIISeverityBlock
|
|
if config.Severity != "" {
|
|
severity = PIISeverity(config.Severity)
|
|
}
|
|
|
|
_, err := s.CreatePIIRule(ctx, &CreatePIIRuleRequest{
|
|
Name: config.Name,
|
|
RuleType: PIIRuleType(config.Type),
|
|
Pattern: config.Pattern,
|
|
Severity: severity,
|
|
})
|
|
|
|
return err
|
|
}
|
|
|
|
// ToJSON converts an entity to JSON for audit logging.
|
|
func ToJSON(v interface{}) json.RawMessage {
|
|
data, _ := json.Marshal(v)
|
|
return data
|
|
}
|