Skip to main content

systemprompt_security/authz/repository/
entities.rs

1use std::str::FromStr;
2
3use super::AccessControlRepository;
4use crate::authz::error::AuthzResult;
5use crate::authz::types::{EntityKind, EntityRow};
6
7impl AccessControlRepository {
8    /// Look up one entity catalog row. `Ok(None)` means the entity has no
9    /// catalog row at all (publish-pipeline bootstrap gap) — the resolver
10    /// turns this into [`crate::authz::DenyReason::UnknownEntity`].
11    pub async fn get_entity(
12        &self,
13        entity_type: EntityKind,
14        entity_id: &str,
15    ) -> AuthzResult<Option<EntityRow>> {
16        let row = sqlx::query!(
17            r#"
18            SELECT entity_type, entity_id, default_included, source
19            FROM access_control_entities
20            WHERE entity_type = $1 AND entity_id = $2
21            "#,
22            entity_type.as_str(),
23            entity_id,
24        )
25        .fetch_optional(&*self.pool)
26        .await?;
27
28        let Some(row) = row else {
29            return Ok(None);
30        };
31        Ok(Some(EntityRow {
32            kind: EntityKind::from_str(&row.entity_type)?,
33            id: row.entity_id,
34            default_included: row.default_included,
35            source: row.source,
36        }))
37    }
38
39    /// Upsert an entity catalog row. Always overwrites `default_included` and
40    /// `source` so the most recent bootstrap pass wins — the publish pipeline
41    /// is the source of truth and runs ahead of YAML grant ingestion.
42    pub async fn upsert_entity(
43        &self,
44        entity_type: EntityKind,
45        entity_id: &str,
46        default_included: bool,
47        source: &str,
48    ) -> AuthzResult<()> {
49        sqlx::query!(
50            r#"
51            INSERT INTO access_control_entities (entity_type, entity_id, default_included, source)
52            VALUES ($1, $2, $3, $4)
53            ON CONFLICT (entity_type, entity_id) DO UPDATE
54            SET default_included = EXCLUDED.default_included,
55                source = EXCLUDED.source,
56                updated_at = NOW()
57            "#,
58            entity_type.as_str(),
59            entity_id,
60            default_included,
61            source,
62        )
63        .execute(&*self.write_pool)
64        .await?;
65        Ok(())
66    }
67
68    /// Bulk-fetch every catalog row for a given kind. Used by the CLI lint and
69    /// the publish-pipeline validator to detect rules pointing at entities
70    /// the bootstrap pass never registered.
71    pub async fn list_entities(&self, entity_type: EntityKind) -> AuthzResult<Vec<EntityRow>> {
72        let rows = sqlx::query!(
73            r#"
74            SELECT entity_type, entity_id, default_included, source
75            FROM access_control_entities
76            WHERE entity_type = $1
77            ORDER BY entity_id
78            "#,
79            entity_type.as_str(),
80        )
81        .fetch_all(&*self.pool)
82        .await?;
83
84        let mut out = Vec::with_capacity(rows.len());
85        for row in rows {
86            out.push(EntityRow {
87                kind: EntityKind::from_str(&row.entity_type)?,
88                id: row.entity_id,
89                default_included: row.default_included,
90                source: row.source,
91            });
92        }
93        Ok(out)
94    }
95}