Updated the security package

pkg/security/composite.go

@@ -0,0 +1,105 @@
+package security
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+)
+
+// CompositeSecurityProvider combines multiple security providers
+// Allows separating authentication, column security, and row security concerns
+type CompositeSecurityProvider struct {
+	auth    Authenticator
+	colSec  ColumnSecurityProvider
+	rowSec  RowSecurityProvider
+}
+
+// NewCompositeSecurityProvider creates a composite provider
+// All parameters are required
+func NewCompositeSecurityProvider(
+	auth Authenticator,
+	colSec ColumnSecurityProvider,
+	rowSec RowSecurityProvider,
+) *CompositeSecurityProvider {
+	if auth == nil {
+		panic("authenticator cannot be nil")
+	}
+	if colSec == nil {
+		panic("column security provider cannot be nil")
+	}
+	if rowSec == nil {
+		panic("row security provider cannot be nil")
+	}
+
+	return &CompositeSecurityProvider{
+		auth:   auth,
+		colSec: colSec,
+		rowSec: rowSec,
+	}
+}
+
+// Login delegates to the authenticator
+func (c *CompositeSecurityProvider) Login(ctx context.Context, req LoginRequest) (*LoginResponse, error) {
+	return c.auth.Login(ctx, req)
+}
+
+// Logout delegates to the authenticator
+func (c *CompositeSecurityProvider) Logout(ctx context.Context, req LogoutRequest) error {
+	return c.auth.Logout(ctx, req)
+}
+
+// Authenticate delegates to the authenticator
+func (c *CompositeSecurityProvider) Authenticate(r *http.Request) (*UserContext, error) {
+	return c.auth.Authenticate(r)
+}
+
+// GetColumnSecurity delegates to the column security provider
+func (c *CompositeSecurityProvider) GetColumnSecurity(ctx context.Context, userID int, schema, table string) ([]ColumnSecurity, error) {
+	return c.colSec.GetColumnSecurity(ctx, userID, schema, table)
+}
+
+// GetRowSecurity delegates to the row security provider
+func (c *CompositeSecurityProvider) GetRowSecurity(ctx context.Context, userID int, schema, table string) (RowSecurity, error) {
+	return c.rowSec.GetRowSecurity(ctx, userID, schema, table)
+}
+
+// Optional interface implementations (if wrapped providers support them)
+
+// RefreshToken implements Refreshable if the authenticator supports it
+func (c *CompositeSecurityProvider) RefreshToken(ctx context.Context, refreshToken string) (*LoginResponse, error) {
+	if refreshable, ok := c.auth.(Refreshable); ok {
+		return refreshable.RefreshToken(ctx, refreshToken)
+	}
+	return nil, fmt.Errorf("authenticator does not support token refresh")
+}
+
+// ValidateToken implements Validatable if the authenticator supports it
+func (c *CompositeSecurityProvider) ValidateToken(ctx context.Context, token string) (bool, error) {
+	if validatable, ok := c.auth.(Validatable); ok {
+		return validatable.ValidateToken(ctx, token)
+	}
+	return false, fmt.Errorf("authenticator does not support token validation")
+}
+
+// ClearCache implements Cacheable if any provider supports it
+func (c *CompositeSecurityProvider) ClearCache(ctx context.Context, userID int, schema, table string) error {
+	var errs []error
+
+	if cacheable, ok := c.colSec.(Cacheable); ok {
+		if err := cacheable.ClearCache(ctx, userID, schema, table); err != nil {
+			errs = append(errs, fmt.Errorf("column security cache clear failed: %w", err))
+		}
+	}
+
+	if cacheable, ok := c.rowSec.(Cacheable); ok {
+		if err := cacheable.ClearCache(ctx, userID, schema, table); err != nil {
+			errs = append(errs, fmt.Errorf("row security cache clear failed: %w", err))
+		}
+	}
+
+	if len(errs) > 0 {
+		return fmt.Errorf("cache clear errors: %v", errs)
+	}
+
+	return nil
+}