easyai-ai-gateway/apps/api/internal/httpapi/access_rule_handlers.go

package httpapi

import (
	"encoding/json"
	"errors"
	"net/http"
	"strings"

	"github.com/easyai/easyai-ai-gateway/apps/api/internal/auth"
	"github.com/easyai/easyai-ai-gateway/apps/api/internal/store"
)

func (s *Server) listAccessRules(w http.ResponseWriter, r *http.Request) {
	items, err := s.store.ListAccessRules(r.Context())
	if err != nil {
		s.logger.Error("list access rules failed", "error", err)
		writeError(w, http.StatusInternalServerError, "list access rules failed")
		return
	}
	writeJSON(w, http.StatusOK, map[string]any{"items": items})
}

func (s *Server) listAPIKeyAccessRules(w http.ResponseWriter, r *http.Request) {
	user, _ := auth.UserFromContext(r.Context())
	items, err := s.store.ListAPIKeyAccessRules(r.Context(), user)
	if err != nil {
		if errors.Is(err, store.ErrLocalUserRequired) {
			writeError(w, http.StatusBadRequest, err.Error())
			return
		}
		s.logger.Error("list api key access rules failed", "error", err)
		writeError(w, http.StatusInternalServerError, "list api key access rules failed")
		return
	}
	writeJSON(w, http.StatusOK, map[string]any{"items": items})
}

func (s *Server) createAccessRule(w http.ResponseWriter, r *http.Request) {
	var input store.AccessRuleInput
	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
		writeError(w, http.StatusBadRequest, "invalid json body")
		return
	}
	if !validAccessRuleInput(input) {
		writeError(w, http.StatusBadRequest, "subject, resource and effect are required")
		return
	}
	item, err := s.store.CreateAccessRule(r.Context(), input)
	if err != nil {
		if store.IsUniqueViolation(err) {
			writeError(w, http.StatusConflict, "access rule already exists")
			return
		}
		s.logger.Error("create access rule failed", "error", err)
		writeError(w, http.StatusInternalServerError, "create access rule failed")
		return
	}
	writeJSON(w, http.StatusCreated, item)
}

func (s *Server) batchAccessRules(w http.ResponseWriter, r *http.Request) {
	var input store.AccessRuleBatchInput
	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
		writeError(w, http.StatusBadRequest, "invalid json body")
		return
	}
	if !validAccessRuleBatchInput(input) {
		writeError(w, http.StatusBadRequest, "subject, effect and resources are required")
		return
	}
	items, err := s.store.BatchAccessRules(r.Context(), input)
	if err != nil {
		s.logger.Error("batch access rules failed", "error", err)
		writeError(w, http.StatusInternalServerError, "batch access rules failed")
		return
	}
	writeJSON(w, http.StatusOK, map[string]any{"items": items})
}

func (s *Server) batchAPIKeyAccessRules(w http.ResponseWriter, r *http.Request) {
	user, _ := auth.UserFromContext(r.Context())
	var input store.AccessRuleBatchInput
	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
		writeError(w, http.StatusBadRequest, "invalid json body")
		return
	}
	if !validAccessRuleBatchInput(input) || input.SubjectType != "api_key" {
		writeError(w, http.StatusBadRequest, "api key subject, effect and resources are required")
		return
	}
	items, err := s.store.BatchAPIKeyAccessRules(r.Context(), input, user)
	if err != nil {
		if errors.Is(err, store.ErrLocalUserRequired) {
			writeError(w, http.StatusBadRequest, err.Error())
			return
		}
		if store.IsNotFound(err) {
			writeError(w, http.StatusNotFound, "api key not found")
			return
		}
		if errors.Is(err, store.ErrAccessRuleResourceDenied) {
			writeError(w, http.StatusForbidden, "resource is not available for current user group")
			return
		}
		s.logger.Error("batch api key access rules failed", "error", err)
		writeError(w, http.StatusInternalServerError, "batch api key access rules failed")
		return
	}
	writeJSON(w, http.StatusOK, map[string]any{"items": items})
}

func (s *Server) updateAccessRule(w http.ResponseWriter, r *http.Request) {
	var input store.AccessRuleInput
	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
		writeError(w, http.StatusBadRequest, "invalid json body")
		return
	}
	if !validAccessRuleInput(input) {
		writeError(w, http.StatusBadRequest, "subject, resource and effect are required")
		return
	}
	item, err := s.store.UpdateAccessRule(r.Context(), r.PathValue("ruleID"), input)
	if err != nil {
		if store.IsNotFound(err) {
			writeError(w, http.StatusNotFound, "access rule not found")
			return
		}
		if store.IsUniqueViolation(err) {
			writeError(w, http.StatusConflict, "access rule already exists")
			return
		}
		s.logger.Error("update access rule failed", "error", err)
		writeError(w, http.StatusInternalServerError, "update access rule failed")
		return
	}
	writeJSON(w, http.StatusOK, item)
}

func (s *Server) deleteAccessRule(w http.ResponseWriter, r *http.Request) {
	if err := s.store.DeleteAccessRule(r.Context(), r.PathValue("ruleID")); err != nil {
		if store.IsNotFound(err) {
			writeError(w, http.StatusNotFound, "access rule not found")
			return
		}
		s.logger.Error("delete access rule failed", "error", err)
		writeError(w, http.StatusInternalServerError, "delete access rule failed")
		return
	}
	w.WriteHeader(http.StatusNoContent)
}

func validAccessRuleInput(input store.AccessRuleInput) bool {
	return validOneOf(input.SubjectType, "user_group", "tenant", "user", "api_key") &&
		strings.TrimSpace(input.SubjectID) != "" &&
		validOneOf(input.ResourceType, "platform", "platform_model", "base_model") &&
		strings.TrimSpace(input.ResourceID) != "" &&
		validOneOf(input.Effect, "allow", "deny") &&
		(input.Status == "" || validOneOf(input.Status, "active", "disabled"))
}

func validAccessRuleBatchInput(input store.AccessRuleBatchInput) bool {
	if !validOneOf(input.SubjectType, "user_group", "tenant", "user", "api_key") ||
		strings.TrimSpace(input.SubjectID) == "" ||
		!validOneOf(input.Effect, "allow", "deny") {
		return false
	}
	if len(input.UpsertResources) == 0 && len(input.DeleteResources) == 0 {
		return false
	}
	for _, resource := range append(input.UpsertResources, input.DeleteResources...) {
		if !validOneOf(resource.ResourceType, "platform", "platform_model", "base_model") ||
			strings.TrimSpace(resource.ResourceID) == "" ||
			(resource.Status != "" && !validOneOf(resource.Status, "active", "disabled")) {
			return false
		}
	}
	return true
}

func validOneOf(value string, allowed ...string) bool {
	value = strings.TrimSpace(value)
	for _, item := range allowed {
		if value == item {
			return true
		}
	}
	return false
}