NexaVPN/backend/internal/policy/repository.go

package policy

import (
	"context"

	"github.com/google/uuid"
	"github.com/jackc/pgx/v5/pgxpool"
)

type Repository interface {
	List(ctx context.Context) ([]Policy, error)
	Create(ctx context.Context, input CreateRequest, createdBy uuid.UUID) (Policy, error)
	ResolveDestinations(ctx context.Context, userID uuid.UUID, deviceID *uuid.UUID) ([]string, error)
}

type PGRepository struct {
	db *pgxpool.Pool
}

func NewPGRepository(db *pgxpool.Pool) *PGRepository {
	return &PGRepository{db: db}
}

func (r *PGRepository) List(ctx context.Context) ([]Policy, error) {
	rows, err := r.db.Query(ctx, `
		select
			p.id,
			p.name,
			p.description,
			p.priority,
			p.effect,
			p.full_tunnel,
			p.is_active,
			coalesce(array_agg(pd.destination::text) filter (where pd.destination is not null), '{}')
		from policies p
		left join policy_destinations pd on pd.policy_id = p.id
		where p.deleted_at is null
		group by p.id, p.name, p.description, p.priority, p.effect, p.full_tunnel, p.is_active, p.created_at
		order by p.priority asc, p.created_at desc
	`)
	if err != nil {
		return nil, err
	}
	defer rows.Close()

	var items []Policy
	for rows.Next() {
		var item Policy
		if err := rows.Scan(&item.ID, &item.Name, &item.Description, &item.Priority, &item.Effect, &item.FullTunnel, &item.IsActive, &item.Destinations); err != nil {
			return nil, err
		}
		items = append(items, item)
	}
	return items, rows.Err()
}

func (r *PGRepository) Create(ctx context.Context, input CreateRequest, createdBy uuid.UUID) (Policy, error) {
	tx, err := r.db.Begin(ctx)
	if err != nil {
		return Policy{}, err
	}
	defer tx.Rollback(ctx)

	policyID := uuid.New()
	_, err = tx.Exec(ctx, `
		insert into policies (id, name, description, priority, effect, full_tunnel, created_by)
		values ($1, $2, $3, $4, $5, $6, $7)
	`, policyID, input.Name, input.Description, input.Priority, input.Effect, input.FullTunnel, createdBy)
	if err != nil {
		return Policy{}, err
	}

	for _, destination := range input.Destinations {
		if _, err := tx.Exec(ctx, `
			insert into policy_destinations (id, policy_id, destination)
			values ($1, $2, $3::cidr)
		`, uuid.New(), policyID, destination); err != nil {
			return Policy{}, err
		}
	}

	for _, target := range input.Targets {
		if _, err := tx.Exec(ctx, `
			insert into policy_targets (id, policy_id, target_type, target_id)
			values ($1, $2, $3, $4)
		`, uuid.New(), policyID, target.Type, target.ID); err != nil {
			return Policy{}, err
		}
	}

	if err := tx.Commit(ctx); err != nil {
		return Policy{}, err
	}

	inputPolicy := Policy{
		ID:           policyID,
		Name:         input.Name,
		Description:  input.Description,
		Priority:     input.Priority,
		Effect:       input.Effect,
		FullTunnel:   input.FullTunnel,
		IsActive:     true,
		Destinations: input.Destinations,
		Targets:      input.Targets,
	}
	return inputPolicy, nil
}

func (r *PGRepository) ResolveDestinations(ctx context.Context, userID uuid.UUID, deviceID *uuid.UUID) ([]string, error) {
	query := `
		select distinct pd.destination::text
		from policies p
		join policy_destinations pd on pd.policy_id = p.id
		join policy_targets pt on pt.policy_id = p.id
		where p.deleted_at is null
		  and p.is_active = true
		  and p.effect = 'allow'
		  and (
			(pt.target_type = 'user' and pt.target_id = $1)
	`
	args := []any{userID}
	if deviceID != nil {
		query += ` or (pt.target_type = 'device' and pt.target_id = $2)`
		args = append(args, *deviceID)
	}
	query += `)`

	rows, err := r.db.Query(ctx, query, args...)
	if err != nil {
		return nil, err
	}
	defer rows.Close()

	var destinations []string
	for rows.Next() {
		var value string
		if err := rows.Scan(&value); err != nil {
			return nil, err
		}
		destinations = append(destinations, value)
	}
	return destinations, rows.Err()
}