mirror of
https://github.com/coder/coder.git
synced 2026-06-03 21:18:24 +00:00
Sas Swart
3bf5f80277
RFC: [Bridge ↔ Boundaries Correlation RFC](https://www.notion.so/coderhq/Gateway-and-Firewall-Correlation-RFC-31ad579be592803aa8b3d48348ccdde9) Add up/down migrations and matching sqlc queries for persisting Boundary audit events, as specified in the Bridge/Boundaries Correlation RFC. **Tables:** - `boundary_sessions`: session metadata with `workspace_agent_id` FK, `confined_process_name`, and timestamps (`started_at`, `updated_at`). ID is externally supplied by the Boundary process (no DB-side default). Created lazily when the first log for a session arrives. - `boundary_logs`: individual audit events with `session_id` FK, `sequence_number` (INT, primary ordering key), protocol/method/detail fields, and `matched_rule` (nullable; non-NULL implies allowed). **Indexes (per RFC):** - `(session_id, sequence_number)` for the ordering query path - `(captured_at)` for the retention purge path **Queries:** - `InsertBoundarySession` / `GetBoundarySessionByID` - `InsertBoundaryLog` / `GetBoundaryLogByID` - `ListBoundaryLogsBySessionID` with nullable `seq_after`/`seq_before` exclusive bounds for fetching events between two known interception sequence numbers - `DeleteOldBoundaryLogs` with row limit to avoid long-running transactions **Also includes:** dbgen helpers (`BoundarySession`, `BoundaryLog`), dbauthz implementations (reads gated on `ResourceAuditLog`, deletes on `ResourceSystem`), and all generated wrappers (dbmock, dbmetrics). No callers yet. A follow-up PR will add the dedicated `boundary_log` RBAC resource type. > Generated by Coder Agents
77 lines
1.8 KiB
SQL
77 lines
1.8 KiB
SQL
-- name: InsertBoundarySession :one
|
|
INSERT INTO boundary_sessions (
|
|
id,
|
|
workspace_agent_id,
|
|
confined_process_name,
|
|
started_at,
|
|
updated_at
|
|
) VALUES (
|
|
@id,
|
|
@workspace_agent_id,
|
|
@confined_process_name,
|
|
@started_at,
|
|
@updated_at
|
|
) RETURNING *;
|
|
|
|
-- name: GetBoundarySessionByID :one
|
|
SELECT * FROM boundary_sessions WHERE id = @id;
|
|
|
|
-- name: InsertBoundaryLog :one
|
|
INSERT INTO boundary_logs (
|
|
id,
|
|
session_id,
|
|
sequence_number,
|
|
captured_at,
|
|
created_at,
|
|
proto,
|
|
method,
|
|
detail,
|
|
matched_rule
|
|
) VALUES (
|
|
@id,
|
|
@session_id,
|
|
@sequence_number,
|
|
@captured_at,
|
|
@created_at,
|
|
@proto,
|
|
@method,
|
|
@detail,
|
|
@matched_rule
|
|
) RETURNING *;
|
|
|
|
-- name: GetBoundaryLogByID :one
|
|
SELECT * FROM boundary_logs WHERE id = @id;
|
|
|
|
-- name: ListBoundaryLogsBySessionID :many
|
|
-- Lists boundary logs for a session, sorted by sequence number ascending.
|
|
-- Supports optional exclusive sequence number bounds (seq_after, seq_before)
|
|
-- for fetching events between two known interceptions.
|
|
SELECT *
|
|
FROM boundary_logs
|
|
WHERE
|
|
session_id = @session_id
|
|
AND CASE
|
|
WHEN sqlc.narg('seq_after')::int IS NOT NULL THEN sequence_number > sqlc.narg('seq_after')
|
|
ELSE true
|
|
END
|
|
AND CASE
|
|
WHEN sqlc.narg('seq_before')::int IS NOT NULL THEN sequence_number < sqlc.narg('seq_before')
|
|
ELSE true
|
|
END
|
|
ORDER BY sequence_number ASC
|
|
LIMIT COALESCE(NULLIF(@limit_opt::int, 0), 100);
|
|
|
|
-- name: DeleteOldBoundaryLogs :execrows
|
|
-- Deletes boundary logs older than the given time, bounded by a row limit
|
|
-- to avoid long-running transactions.
|
|
WITH old_logs AS (
|
|
SELECT id
|
|
FROM boundary_logs
|
|
WHERE captured_at < @before_time::timestamptz
|
|
ORDER BY captured_at ASC
|
|
LIMIT @limit_count
|
|
)
|
|
DELETE FROM boundary_logs
|
|
USING old_logs
|
|
WHERE boundary_logs.id = old_logs.id;
|