sharang
4c46d673fb
Replaces the M5.1-skeleton handler set with the M4.2 spec from
IMPLEMENTATION_PLAN.md:
Endpoints (authoritative shape in openapi.yaml):
POST /v1/tenants
GET /v1/tenants/{id}
GET /v1/tenants/by-slug/{slug}
POST /v1/tenants/{id}/activate
POST /v1/tenants/{id}/cancel
GET /v1/entitlements?tenant_id=...
GET /v1/catalog
POST /v1/catalog/request
POST /v1/catalog/trial-request
POST /v1/api-keys returns plaintext ONCE
GET /v1/api-keys?tenant_id=...
DELETE /v1/api-keys/{id}
POST /v1/internal/api-keys/verify always 200; valid: bool
POST /v1/audit
GET /v1/audit?{tenant_id,product,actor_id,action,since,until,limit,cursor}
Architecture:
internal/store/store.go Store interface (CRUD + audit + ping)
internal/store/memory.go in-process impl, used when DATABASE_URL
is empty (seed acme tenant, no migrations)
internal/store/postgres.go pgxpool impl against the M4.1 schema
internal/server/server.go router + healthz/readyz
internal/server/{tenants,catalog,apikeys,audit}.go
per-concern handlers (≤250 LoC each)
internal/server/helpers.go writeJSON/writeError/error mapping/log mw
openapi.yaml 3.1 spec; openapi_test.go is the contract gate
API keys:
Plaintext format 'bp_<22-char base64>'. Prefix bp_<8> stored for UI.
Hash is argon2id(salt, time=1, mem=64MB, threads=4, len=32) encoded as
'argon2id|<salt-b64>|<hash-b64>'. Format-tagged so we can rotate
parameters without re-keying. Verify is constant-time.
Store selection:
cmd/server picks Postgres when DATABASE_URL is set, otherwise Memory.
Both implementations are exercised by the same eachStore test harness —
parity is enforced.
Audit:
Every state-changing endpoint emits via s.emitAudit() (fire-and-forget).
audit_log uses ON DELETE SET NULL on tenant_id so forensic history
outlives tenant deletes (per M4.1 schema).
Routing constraint:
Go 1.22 ServeMux can't disambiguate /v1/tenants/{id}/products from
/v1/tenants/by-slug/{slug=products}. Per-tenant subresources moved to
query-param top-level paths: /v1/entitlements?tenant_id=… and
/v1/api-keys?tenant_id=….
Tests:
Every endpoint exercised against both Memory and Postgres via the
eachStore harness. Includes happy paths, validation errors, conflicts,
404s, auto-audit-emit assertion. testcontainers-go for the postgres
harness; gated by -short.
TestOpenAPISpec is the contract gate: every documented operation must
resolve against the router. (kin-openapi v0.138.0.)
Refs: M4.2
225 lines
6.5 KiB
Go
225 lines
6.5 KiB
Go
package server
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"net/http"
|
|
"regexp"
|
|
"time"
|
|
|
|
"gitea.meghsakha.com/platform/tenant-registry/internal/store"
|
|
)
|
|
|
|
// slug validation mirrors the schema CHECK in 0001_init.up.sql so we reject
|
|
// at the API boundary rather than waiting for the DB to do it.
|
|
var slugRE = regexp.MustCompile(`^[a-z0-9][a-z0-9-]{1,38}[a-z0-9]$`)
|
|
|
|
type createTenantReq struct {
|
|
Slug string `json:"slug"`
|
|
Name string `json:"name"`
|
|
Plan string `json:"plan,omitempty"`
|
|
Kind string `json:"kind,omitempty"`
|
|
SalesOwner string `json:"sales_owner,omitempty"`
|
|
}
|
|
|
|
func (s *Server) createTenant(w http.ResponseWriter, r *http.Request) {
|
|
var in createTenantReq
|
|
if !decodeJSON(w, r, &in) {
|
|
return
|
|
}
|
|
if !slugRE.MatchString(in.Slug) {
|
|
writeError(w, http.StatusBadRequest, "invalid_slug", "slug must match ^[a-z0-9][a-z0-9-]{1,38}[a-z0-9]$")
|
|
return
|
|
}
|
|
if in.Name == "" || len(in.Name) > 255 {
|
|
writeError(w, http.StatusBadRequest, "invalid_name", "name must be 1..255 chars")
|
|
return
|
|
}
|
|
if in.Kind != "" && in.Kind != "customer" && in.Kind != "demo" {
|
|
writeError(w, http.StatusBadRequest, "invalid_kind", "kind must be 'customer' or 'demo'")
|
|
return
|
|
}
|
|
|
|
ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
|
|
defer cancel()
|
|
t, err := s.Store.CreateTenant(ctx, store.TenantCreate{
|
|
Slug: in.Slug, Name: in.Name, Plan: in.Plan, Kind: in.Kind, SalesOwner: in.SalesOwner,
|
|
})
|
|
if err != nil {
|
|
if mapStoreError(w, err) {
|
|
return
|
|
}
|
|
s.Log.Error("create tenant failed", "err", err)
|
|
writeError(w, http.StatusInternalServerError, "internal", "create failed")
|
|
return
|
|
}
|
|
|
|
s.emitAudit(ctx, r, store.AuditEvent{
|
|
TenantID: t.ID,
|
|
Action: "tenant.created",
|
|
TargetID: t.ID,
|
|
TargetType: "tenant",
|
|
TargetName: t.Slug,
|
|
Metadata: map[string]interface{}{"plan": t.Plan, "kind": t.Kind},
|
|
})
|
|
|
|
writeJSON(w, http.StatusCreated, t)
|
|
}
|
|
|
|
func (s *Server) getTenant(w http.ResponseWriter, r *http.Request) {
|
|
ctx, cancel := context.WithTimeout(r.Context(), 2*time.Second)
|
|
defer cancel()
|
|
t, err := s.Store.GetTenant(ctx, r.PathValue("id"))
|
|
if err != nil {
|
|
if mapStoreError(w, err) {
|
|
return
|
|
}
|
|
writeError(w, http.StatusInternalServerError, "internal", err.Error())
|
|
return
|
|
}
|
|
writeJSON(w, http.StatusOK, t)
|
|
}
|
|
|
|
func (s *Server) getTenantBySlug(w http.ResponseWriter, r *http.Request) {
|
|
ctx, cancel := context.WithTimeout(r.Context(), 2*time.Second)
|
|
defer cancel()
|
|
t, err := s.Store.GetTenantBySlug(ctx, r.PathValue("slug"))
|
|
if err != nil {
|
|
if mapStoreError(w, err) {
|
|
return
|
|
}
|
|
writeError(w, http.StatusInternalServerError, "internal", err.Error())
|
|
return
|
|
}
|
|
writeJSON(w, http.StatusOK, t)
|
|
}
|
|
|
|
type activateReq struct {
|
|
Plan string `json:"plan,omitempty"`
|
|
ContractStart *string `json:"contract_start,omitempty"` // YYYY-MM-DD
|
|
ContractEnd *string `json:"contract_end,omitempty"`
|
|
ErpCustomerID string `json:"erp_customer_id,omitempty"`
|
|
}
|
|
|
|
func (s *Server) activateTenant(w http.ResponseWriter, r *http.Request) {
|
|
var in activateReq
|
|
if !decodeJSON(w, r, &in) {
|
|
return
|
|
}
|
|
ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
|
|
defer cancel()
|
|
|
|
upd := store.TenantUpdate{Status: ptrStr("active")}
|
|
if in.Plan != "" {
|
|
upd.Plan = &in.Plan
|
|
}
|
|
if in.ErpCustomerID != "" {
|
|
upd.ErpCustomerID = &in.ErpCustomerID
|
|
}
|
|
if cs, err := parseDate(in.ContractStart); err == nil && cs != nil {
|
|
upd.ContractStart = cs
|
|
} else if err != nil {
|
|
writeError(w, http.StatusBadRequest, "invalid_contract_start", "must be YYYY-MM-DD")
|
|
return
|
|
}
|
|
if ce, err := parseDate(in.ContractEnd); err == nil && ce != nil {
|
|
upd.ContractEnd = ce
|
|
} else if err != nil {
|
|
writeError(w, http.StatusBadRequest, "invalid_contract_end", "must be YYYY-MM-DD")
|
|
return
|
|
}
|
|
|
|
t, err := s.Store.UpdateTenant(ctx, r.PathValue("id"), upd)
|
|
if err != nil {
|
|
if mapStoreError(w, err) {
|
|
return
|
|
}
|
|
writeError(w, http.StatusInternalServerError, "internal", err.Error())
|
|
return
|
|
}
|
|
|
|
s.emitAudit(ctx, r, store.AuditEvent{
|
|
TenantID: t.ID, Action: "tenant.activated", TargetID: t.ID, TargetType: "tenant",
|
|
Metadata: map[string]interface{}{"plan": t.Plan, "erp_customer_id": t.ErpCustomerID},
|
|
})
|
|
|
|
writeJSON(w, http.StatusOK, t)
|
|
}
|
|
|
|
type cancelReq struct {
|
|
Reason string `json:"reason,omitempty"`
|
|
// AtPeriodEnd is a hint to billing; we always flip to 'frozen' immediately
|
|
// since billing is out of scope here.
|
|
AtPeriodEnd bool `json:"at_period_end,omitempty"`
|
|
}
|
|
|
|
func (s *Server) cancelTenant(w http.ResponseWriter, r *http.Request) {
|
|
var in cancelReq
|
|
if r.ContentLength > 0 {
|
|
if !decodeJSON(w, r, &in) {
|
|
return
|
|
}
|
|
}
|
|
ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
|
|
defer cancel()
|
|
t, err := s.Store.UpdateTenant(ctx, r.PathValue("id"), store.TenantUpdate{
|
|
Status: ptrStr("frozen"),
|
|
})
|
|
if err != nil {
|
|
if mapStoreError(w, err) {
|
|
return
|
|
}
|
|
writeError(w, http.StatusInternalServerError, "internal", err.Error())
|
|
return
|
|
}
|
|
s.emitAudit(ctx, r, store.AuditEvent{
|
|
TenantID: t.ID, Action: "tenant.canceled", TargetID: t.ID, TargetType: "tenant",
|
|
Metadata: map[string]interface{}{"reason": in.Reason, "at_period_end": in.AtPeriodEnd},
|
|
})
|
|
writeJSON(w, http.StatusOK, t)
|
|
}
|
|
|
|
func (s *Server) listTenantProducts(w http.ResponseWriter, r *http.Request) {
|
|
tenantID := r.URL.Query().Get("tenant_id")
|
|
if tenantID == "" {
|
|
writeError(w, http.StatusBadRequest, "invalid_input", "tenant_id query param is required")
|
|
return
|
|
}
|
|
ctx, cancel := context.WithTimeout(r.Context(), 2*time.Second)
|
|
defer cancel()
|
|
list, err := s.Store.ListTenantProducts(ctx, tenantID)
|
|
if err != nil {
|
|
if mapStoreError(w, err) {
|
|
return
|
|
}
|
|
writeError(w, http.StatusInternalServerError, "internal", err.Error())
|
|
return
|
|
}
|
|
writeJSON(w, http.StatusOK, map[string]any{"items": list})
|
|
}
|
|
|
|
// ─── helpers (internal to this file) ──────────────────────────────────────
|
|
|
|
func ptrStr(s string) *string { return &s }
|
|
|
|
func parseDate(p *string) (*time.Time, error) {
|
|
if p == nil || *p == "" {
|
|
return nil, nil
|
|
}
|
|
t, err := time.Parse("2006-01-02", *p)
|
|
if err != nil {
|
|
return nil, errors.New("invalid date")
|
|
}
|
|
return &t, nil
|
|
}
|
|
|
|
// emitAudit is a fire-and-forget audit emit. Failures are logged but not
|
|
// returned to the caller — the actual user-facing operation already succeeded.
|
|
func (s *Server) emitAudit(ctx context.Context, r *http.Request, ev store.AuditEvent) {
|
|
ev.SourceIP = clientIP(r)
|
|
ev.UserAgent = r.UserAgent()
|
|
if _, err := s.Store.AppendAudit(ctx, ev); err != nil {
|
|
s.Log.Warn("audit emit failed", "err", err, "action", ev.Action)
|
|
}
|
|
}
|