Benjamin_Boenisch/breakpilot-lehrer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b4613e26f3211176637f0744aef1d68cc9e9c6a7
breakpilot-lehrer/edu-search-service/internal/policy/store_audit.go
Benjamin Admin 9ba420fa91
Some checks failed
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details
CI / test-go-school (push) Successful in 42s
Details
CI / test-go-edu-search (push) Successful in 34s
Details
CI / test-python-klausur (push) Failing after 2m51s
Details
CI / test-python-agent-core (push) Successful in 21s
Details
CI / test-nodejs-website (push) Successful in 29s
Details
Fix: Remove broken getKlausurApiUrl and clean up empty lines 
sed replacement left orphaned hostname references in story page
and empty lines in getApiBase functions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-24 16:02:04 +02:00

412 lines
12 KiB
Go
Raw Blame History

package policy
import (
"context"
"encoding/json"
"fmt"
"time"
"github.com/google/uuid"
)
// =============================================================================
// AUDIT LOG
// =============================================================================
// CreateAuditLog creates a new audit log entry.
func (s *Store) CreateAuditLog(ctx context.Context, entry *PolicyAuditLog) error {
entry.ID = uuid.New()
entry.CreatedAt = time.Now()
query := `
INSERT INTO policy_audit_log (id, action, entity_type, entity_id, old_value, new_value,
user_id, user_email, ip_address, user_agent, created_at)
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)`
_, err := s.pool.Exec(ctx, query,
entry.ID, entry.Action, entry.EntityType, entry.EntityID,
entry.OldValue, entry.NewValue, entry.UserID, entry.UserEmail,
entry.IPAddress, entry.UserAgent, entry.CreatedAt,
)
if err != nil {
return fmt.Errorf("failed to create audit log: %w", err)
}
return nil
}
// ListAuditLogs retrieves audit logs with filters.
func (s *Store) ListAuditLogs(ctx context.Context, filter *AuditLogFilter) ([]PolicyAuditLog, int, error) {
baseQuery := `FROM policy_audit_log WHERE 1=1`
args := []interface{}{}
argCount := 0
if filter.EntityType != nil {
argCount++
baseQuery += fmt.Sprintf(" AND entity_type = $%d", argCount)
args = append(args, *filter.EntityType)
}
if filter.EntityID != nil {
argCount++
baseQuery += fmt.Sprintf(" AND entity_id = $%d", argCount)
args = append(args, *filter.EntityID)
}
if filter.Action != nil {
argCount++
baseQuery += fmt.Sprintf(" AND action = $%d", argCount)
args = append(args, *filter.Action)
}
if filter.UserEmail != nil {
argCount++
baseQuery += fmt.Sprintf(" AND user_email ILIKE $%d", argCount)
args = append(args, "%"+*filter.UserEmail+"%")
}
if filter.FromDate != nil {
argCount++
baseQuery += fmt.Sprintf(" AND created_at >= $%d", argCount)
args = append(args, *filter.FromDate)
}
if filter.ToDate != nil {
argCount++
baseQuery += fmt.Sprintf(" AND created_at <= $%d", argCount)
args = append(args, *filter.ToDate)
}
// Count query
var total int
countQuery := "SELECT COUNT(*) " + baseQuery
err := s.pool.QueryRow(ctx, countQuery, args...).Scan(&total)
if err != nil {
return nil, 0, fmt.Errorf("failed to count audit logs: %w", err)
}
// Data query
dataQuery := `SELECT id, action, entity_type, entity_id, old_value, new_value,
user_id, user_email, ip_address, user_agent, created_at ` + baseQuery +
` ORDER BY created_at DESC`
if filter.Limit > 0 {
argCount++
dataQuery += fmt.Sprintf(" LIMIT $%d", argCount)
args = append(args, filter.Limit)
}
if filter.Offset > 0 {
argCount++
dataQuery += fmt.Sprintf(" OFFSET $%d", argCount)
args = append(args, filter.Offset)
}
rows, err := s.pool.Query(ctx, dataQuery, args...)
if err != nil {
return nil, 0, fmt.Errorf("failed to list audit logs: %w", err)
}
defer rows.Close()
logs := []PolicyAuditLog{}
for rows.Next() {
var l PolicyAuditLog
err := rows.Scan(
&l.ID, &l.Action, &l.EntityType, &l.EntityID, &l.OldValue, &l.NewValue,
&l.UserID, &l.UserEmail, &l.IPAddress, &l.UserAgent, &l.CreatedAt,
)
if err != nil {
return nil, 0, fmt.Errorf("failed to scan audit log: %w", err)
}
logs = append(logs, l)
}
return logs, total, nil
}
// =============================================================================
// BLOCKED CONTENT LOG
// =============================================================================
// CreateBlockedContentLog creates a new blocked content log entry.
func (s *Store) CreateBlockedContentLog(ctx context.Context, entry *BlockedContentLog) error {
entry.ID = uuid.New()
entry.CreatedAt = time.Now()
query := `
INSERT INTO blocked_content_log (id, url, domain, block_reason, matched_rule_id, details, created_at)
VALUES ($1, $2, $3, $4, $5, $6, $7)`
_, err := s.pool.Exec(ctx, query,
entry.ID, entry.URL, entry.Domain, entry.BlockReason,
entry.MatchedRuleID, entry.Details, entry.CreatedAt,
)
if err != nil {
return fmt.Errorf("failed to create blocked content log: %w", err)
}
return nil
}
// ListBlockedContent retrieves blocked content logs with filters.
func (s *Store) ListBlockedContent(ctx context.Context, filter *BlockedContentFilter) ([]BlockedContentLog, int, error) {
baseQuery := `FROM blocked_content_log WHERE 1=1`
args := []interface{}{}
argCount := 0
if filter.Domain != nil {
argCount++
baseQuery += fmt.Sprintf(" AND domain ILIKE $%d", argCount)
args = append(args, "%"+*filter.Domain+"%")
}
if filter.BlockReason != nil {
argCount++
baseQuery += fmt.Sprintf(" AND block_reason = $%d", argCount)
args = append(args, *filter.BlockReason)
}
if filter.FromDate != nil {
argCount++
baseQuery += fmt.Sprintf(" AND created_at >= $%d", argCount)
args = append(args, *filter.FromDate)
}
if filter.ToDate != nil {
argCount++
baseQuery += fmt.Sprintf(" AND created_at <= $%d", argCount)
args = append(args, *filter.ToDate)
}
// Count query
var total int
countQuery := "SELECT COUNT(*) " + baseQuery
err := s.pool.QueryRow(ctx, countQuery, args...).Scan(&total)
if err != nil {
return nil, 0, fmt.Errorf("failed to count blocked content: %w", err)
}
// Data query
dataQuery := `SELECT id, url, domain, block_reason, matched_rule_id, details, created_at ` + baseQuery +
` ORDER BY created_at DESC`
if filter.Limit > 0 {
argCount++
dataQuery += fmt.Sprintf(" LIMIT $%d", argCount)
args = append(args, filter.Limit)
}
if filter.Offset > 0 {
argCount++
dataQuery += fmt.Sprintf(" OFFSET $%d", argCount)
args = append(args, filter.Offset)
}
rows, err := s.pool.Query(ctx, dataQuery, args...)
if err != nil {
return nil, 0, fmt.Errorf("failed to list blocked content: %w", err)
}
defer rows.Close()
logs := []BlockedContentLog{}
for rows.Next() {
var l BlockedContentLog
err := rows.Scan(
&l.ID, &l.URL, &l.Domain, &l.BlockReason,
&l.MatchedRuleID, &l.Details, &l.CreatedAt,
)
if err != nil {
return nil, 0, fmt.Errorf("failed to scan blocked content: %w", err)
}
logs = append(logs, l)
}
return logs, total, nil
}
// =============================================================================
// STATISTICS
// =============================================================================
// GetStats retrieves aggregated statistics for the policy system.
func (s *Store) GetStats(ctx context.Context) (*PolicyStats, error) {
stats := &PolicyStats{
SourcesByLicense: make(map[string]int),
BlocksByReason: make(map[string]int),
}
// Active policies
err := s.pool.QueryRow(ctx, `SELECT COUNT(*) FROM source_policies WHERE is_active = true`).Scan(&stats.ActivePolicies)
if err != nil {
return nil, fmt.Errorf("failed to count active policies: %w", err)
}
// Total sources
err = s.pool.QueryRow(ctx, `SELECT COUNT(*) FROM allowed_sources`).Scan(&stats.TotalSources)
if err != nil {
return nil, fmt.Errorf("failed to count total sources: %w", err)
}
// Active sources
err = s.pool.QueryRow(ctx, `SELECT COUNT(*) FROM allowed_sources WHERE is_active = true`).Scan(&stats.ActiveSources)
if err != nil {
return nil, fmt.Errorf("failed to count active sources: %w", err)
}
// Blocked today
err = s.pool.QueryRow(ctx, `SELECT COUNT(*) FROM blocked_content_log WHERE created_at >= CURRENT_DATE`).Scan(&stats.BlockedToday)
if err != nil {
return nil, fmt.Errorf("failed to count blocked today: %w", err)
}
// Blocked total
err = s.pool.QueryRow(ctx, `SELECT COUNT(*) FROM blocked_content_log`).Scan(&stats.BlockedTotal)
if err != nil {
return nil, fmt.Errorf("failed to count blocked total: %w", err)
}
// Active PII rules
err = s.pool.QueryRow(ctx, `SELECT COUNT(*) FROM pii_rules WHERE is_active = true`).Scan(&stats.PIIRulesActive)
if err != nil {
return nil, fmt.Errorf("failed to count active PII rules: %w", err)
}
// Sources by license
rows, err := s.pool.Query(ctx, `SELECT license, COUNT(*) FROM allowed_sources GROUP BY license`)
if err != nil {
return nil, fmt.Errorf("failed to count sources by license: %w", err)
}
defer rows.Close()
for rows.Next() {
var license string
var count int
if err := rows.Scan(&license, &count); err != nil {
return nil, err
}
stats.SourcesByLicense[license] = count
}
// Blocks by reason
rows, err = s.pool.Query(ctx, `SELECT block_reason, COUNT(*) FROM blocked_content_log GROUP BY block_reason`)
if err != nil {
return nil, fmt.Errorf("failed to count blocks by reason: %w", err)
}
defer rows.Close()
for rows.Next() {
var reason string
var count int
if err := rows.Scan(&reason, &count); err != nil {
return nil, err
}
stats.BlocksByReason[reason] = count
}
// Compliance score (simplified: active sources / total sources)
if stats.TotalSources > 0 {
stats.ComplianceScore = float64(stats.ActiveSources) / float64(stats.TotalSources) * 100
}
return stats, nil
}
// =============================================================================
// YAML LOADER
// =============================================================================
// LoadFromYAML loads initial policy data from YAML configuration.
func (s *Store) LoadFromYAML(ctx context.Context, config *BundeslaenderConfig) error {
// Load federal policy
if config.Federal.Name != "" {
err := s.loadPolicy(ctx, nil, &config.Federal, &config.DefaultOperations)
if err != nil {
return fmt.Errorf("failed to load federal policy: %w", err)
}
}
// Load Bundesland policies
for code, policyConfig := range config.Bundeslaender {
if code == "federal" || code == "default_operations" || code == "pii_rules" {
continue
}
bl := Bundesland(code)
err := s.loadPolicy(ctx, &bl, &policyConfig, &config.DefaultOperations)
if err != nil {
return fmt.Errorf("failed to load policy for %s: %w", code, err)
}
}
// Load PII rules
for _, ruleConfig := range config.PIIRules {
err := s.loadPIIRule(ctx, &ruleConfig)
if err != nil {
return fmt.Errorf("failed to load PII rule %s: %w", ruleConfig.Name, err)
}
}
return nil
}
func (s *Store) loadPolicy(ctx context.Context, bundesland *Bundesland, config *PolicyConfig, ops *OperationsConfig) error {
// Create policy
policy, err := s.CreatePolicy(ctx, &CreateSourcePolicyRequest{
Name: config.Name,
Bundesland: bundesland,
})
if err != nil {
return err
}
// Create sources
for _, srcConfig := range config.Sources {
trustBoost := 0.5
if srcConfig.TrustBoost > 0 {
trustBoost = srcConfig.TrustBoost
}
var legalBasis, citation *string
if srcConfig.LegalBasis != "" {
legalBasis = &srcConfig.LegalBasis
}
if srcConfig.CitationTemplate != "" {
citation = &srcConfig.CitationTemplate
}
_, err := s.CreateSource(ctx, &CreateAllowedSourceRequest{
PolicyID: policy.ID,
Domain: srcConfig.Domain,
Name: srcConfig.Name,
License: License(srcConfig.License),
LegalBasis: legalBasis,
CitationTemplate: citation,
TrustBoost: &trustBoost,
})
if err != nil {
return fmt.Errorf("failed to create source %s: %w", srcConfig.Domain, err)
}
}
return nil
}
func (s *Store) loadPIIRule(ctx context.Context, config *PIIRuleConfig) error {
severity := PIISeverityBlock
if config.Severity != "" {
severity = PIISeverity(config.Severity)
}
_, err := s.CreatePIIRule(ctx, &CreatePIIRuleRequest{
Name: config.Name,
RuleType: PIIRuleType(config.Type),
Pattern: config.Pattern,
Severity: severity,
})
return err
}
// ToJSON converts an entity to JSON for audit logging.
func ToJSON(v interface{}) json.RawMessage {
data, _ := json.Marshal(v)
return data
}
Reference in New Issue View Git Blame Copy Permalink