v1: Integrate compliance policy snapshots into blueprint handlers

Integrate compliance policy snapshot creation into blueprint lifecycle handlers.

When blueprints use compliance policies, we now capture and
store the generated TOML to enable policy change detection.

This allows detecting when compliance customizations become obsolete:
User creates blueprint with policy A → snapshot saved
User updates to policy B → compare snapshots to identify removed customizations
User can be informed about customizations that may no longer be needed

Changes:
Update CreateBlueprint, UpdateBlueprint, and FixupBlueprint handlers
Add buildServiceSnapshots() helper function
Add null-byte validation for service snapshots
Update tests for snapshot integration

Author: mgold1234

internal/v1/handler_blueprints.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"log/slog"
 	"net/http"
 	"net/url"
 	"regexp"
@@ -144,6 +145,51 @@ func (u *User) MergeForUpdate(userData []User) error {
 	return nil
 }
 
+// Helper function to build service snapshots if compliance policy exists
+func (h *Handlers) buildServiceSnapshots(ctx echo.Context, customizations *Customizations, distribution Distributions) (*db.ServiceSnapshots, error) {
+	if customizations.Openscap == nil {
+		return nil, nil
+	}
+
+	var compl OpenSCAPCompliance
+	compl, err := customizations.Openscap.AsOpenSCAPCompliance()
+	if err != nil {
+		slog.ErrorContext(ctx.Request().Context(), "error in AsOpenSCAPCompliance", "error", err.Error())
+		return nil, err
+	}
+	if compl.PolicyId == uuid.Nil {
+		return nil, nil
+	}
+
+	var cust Customizations
+	_, err = h.lintOpenscap(ctx, &cust, true, distribution, compl.PolicyId.String())
+	if err != nil {
+		slog.ErrorContext(ctx.Request().Context(), "error getting policy customizations via lintOpenscap",
+			"error", err.Error(), "distribution", distribution, "policy_id", compl.PolicyId.String())
+		return nil, err
+	}
+
+	policyCustomizationsJSON, err := json.Marshal(cust)
+	if err != nil {
+		slog.ErrorContext(ctx.Request().Context(), "error marshaling policy customizations to JSON",
+			"error", err.Error(), "policy_id", compl.PolicyId.String())
+		return nil, err
+	}
+
+	serviceSnapshots := &db.ServiceSnapshots{
+		Compliance: &db.ComplianceSnapshot{
+			PolicyId:             compl.PolicyId,
+			PolicyCustomizations: policyCustomizationsJSON,
+		},
+	}
+
+	slog.DebugContext(ctx.Request().Context(), "built compliance snapshot",
+		"policy_id", compl.PolicyId,
+		"distribution", distribution)
+
+	return serviceSnapshots, nil
+}
+
 // Util function used to create and update Blueprint from API request (WRITE)
 func BlueprintFromAPI(cbr CreateBlueprintRequest) (BlueprintBody, error) {
 	bb := BlueprintBody{
@@ -237,7 +283,12 @@ func (h *Handlers) CreateBlueprint(ctx echo.Context) error {
 
 	id := uuid.New()
 	versionId := uuid.New()
-	ctx.Logger().Infof("Inserting blueprint: %s (%s), for orgID: %s and account: %s", blueprintRequest.Name, id, userID.OrgID(), userID.AccountNumber())
+	slog.DebugContext(ctx.Request().Context(), "inserting blueprint",
+		"name", blueprintRequest.Name,
+		"id", id,
+		"org_id", userID.OrgID(),
+		"account", userID.AccountNumber())
+
 	desc := ""
 	if blueprintRequest.Description != nil {
 		desc = *blueprintRequest.Description
@@ -268,9 +319,26 @@ func (h *Handlers) CreateBlueprint(ctx echo.Context) error {
 		return err
 	}
 
-	err = h.server.db.InsertBlueprint(ctx.Request().Context(), id, versionId, userID.OrgID(), userID.AccountNumber(), blueprintRequest.Name, desc, body, metadata)
+	serviceSnapshots, err := h.buildServiceSnapshots(ctx, &blueprintRequest.Customizations, blueprintRequest.Distribution)
 	if err != nil {
-		ctx.Logger().Errorf("Error inserting id into db: %s", err.Error())
+		slog.ErrorContext(ctx.Request().Context(), "error building service snapshots",
+			"blueprint_id", id,
+			"error", err.Error())
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to build compliance snapshots")
+	}
+
+	var serviceSnapshotsJSON json.RawMessage
+	if serviceSnapshots != nil {
+		serviceSnapshotsJSON, err = json.Marshal(serviceSnapshots)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to marshal service snapshots")
+		}
+	}
+
+	err = h.server.db.InsertBlueprint(ctx.Request().Context(), id, versionId, userID.OrgID(), userID.AccountNumber(), blueprintRequest.Name, desc, body, metadata, serviceSnapshotsJSON)
+	if err != nil {
+		slog.ErrorContext(ctx.Request().Context(), "error inserting blueprint with service snapshots into db",
+			"error", err.Error())
 
 		var e *pgconn.PgError
 		if errors.As(err, &e) && e.Code == pgerrcode.UniqueViolation {
@@ -283,7 +351,6 @@ func (h *Handlers) CreateBlueprint(ctx echo.Context) error {
 		}
 		return err
 	}
-	ctx.Logger().Infof("Inserted blueprint %s", id)
 	return ctx.JSON(http.StatusCreated, ComposeResponse{
 		Id: id,
 	})
@@ -294,8 +361,7 @@ func (h *Handlers) GetBlueprint(ctx echo.Context, id openapi_types.UUID, params
 	if err != nil {
 		return err
 	}
-
-	ctx.Logger().Infof("Fetching blueprint %s", id)
+	slog.DebugContext(ctx.Request().Context(), "fetching blueprint", "id", id)
 	if params.Version != nil && *params.Version <= 0 {
 		if *params.Version != -1 {
 			return echo.NewHTTPError(http.StatusBadRequest, "Invalid version number")
@@ -366,8 +432,6 @@ func (h *Handlers) ExportBlueprint(ctx echo.Context, id openapi_types.UUID) erro
 	if err != nil {
 		return err
 	}
-
-	ctx.Logger().Infof("Fetching blueprint %s", id)
 	blueprintEntry, err := h.server.db.GetBlueprint(ctx.Request().Context(), id, userID.OrgID(), nil)
 	if err != nil {
 		if errors.Is(err, db.ErrBlueprintNotFound) {
@@ -428,7 +492,7 @@ func (h *Handlers) ExportBlueprint(ctx echo.Context, id openapi_types.UUID) erro
 	}
 
 	if exportedRepositoriesResp.Body == nil {
-		ctx.Logger().Warnf("Unable to export custom repositories, empty body")
+		slog.WarnContext(ctx.Request().Context(), "unable to export custom repositories, empty body")
 		return ctx.JSON(http.StatusOK, blueprintExportResponse)
 	}
 
@@ -519,15 +583,32 @@ func (h *Handlers) UpdateBlueprint(ctx echo.Context, blueprintId uuid.UUID) erro
 	if blueprintRequest.Description != nil {
 		desc = *blueprintRequest.Description
 	}
-	err = h.server.db.UpdateBlueprint(ctx.Request().Context(), versionId, blueprintId, userID.OrgID(), blueprintRequest.Name, desc, body)
+
+	serviceSnapshots, err := h.buildServiceSnapshots(ctx, &blueprintRequest.Customizations, blueprintRequest.Distribution)
+	if err != nil {
+		slog.ErrorContext(ctx.Request().Context(), "error building service snapshots",
+			"blueprint_id", blueprintId,
+			"error", err.Error())
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to build compliance snapshots")
+	}
+
+	var serviceSnapshotsJSON json.RawMessage
+	if serviceSnapshots != nil {
+		serviceSnapshotsJSON, err = json.Marshal(serviceSnapshots)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to marshal service snapshots")
+		}
+	}
+
+	err = h.server.db.UpdateBlueprint(ctx.Request().Context(), versionId, blueprintId, userID.OrgID(), blueprintRequest.Name, desc, body, serviceSnapshotsJSON)
 	if err != nil {
-		ctx.Logger().Errorf("Error updating blueprint in db: %v", err)
+		slog.ErrorContext(ctx.Request().Context(), "error updating blueprint with service snapshots in db",
+			"error", err)
 		if errors.Is(err, db.ErrBlueprintNotFound) {
 			return echo.NewHTTPError(http.StatusNotFound, err)
 		}
 		return err
 	}
-	ctx.Logger().Infof("Updated blueprint %s", blueprintId)
 	return ctx.JSON(http.StatusCreated, ComposeResponse{
 		Id: blueprintId,
 	})
@@ -681,7 +762,7 @@ func (h *Handlers) GetBlueprintComposes(ctx echo.Context, blueprintId openapi_ty
 	composes, err := h.server.db.GetBlueprintComposes(ctx.Request().Context(), userID.OrgID(), blueprintId, params.BlueprintVersion, since, limit, offset, ignoreImageTypeStrings)
 	if err != nil {
 		if errors.Is(err, db.ErrBlueprintNotFound) {
-			return echo.NewHTTPError(http.StatusNotFound)
+			return echo.NewHTTPError(http.StatusNotFound, err)
 		}
 		return err
 	}
@@ -787,14 +868,37 @@ func (h *Handlers) FixupBlueprint(ctx echo.Context, id openapi_types.UUID) error
 		return err
 	}
 	desc := common.FromPtr(blueprintRequest.Description)
+	slog.DebugContext(ctx.Request().Context(), "starting buildServiceSnapshots during fixup",
+		"blueprint_id", blueprintEntry.Id,
+		"distribution", blueprintRequest.Distribution,
+		"has_openscap", blueprintRequest.Customizations.Openscap != nil)
 
-	err = h.server.db.UpdateBlueprint(ctx.Request().Context(), uuid.New(), blueprintEntry.Id, userID.OrgID(), blueprintRequest.Name, desc, body)
+	serviceSnapshots, err := h.buildServiceSnapshots(ctx, &blueprintRequest.Customizations, blueprintRequest.Distribution)
 	if err != nil {
-		ctx.Logger().Errorf("Error updating blueprint in db: %v", err)
+		slog.ErrorContext(ctx.Request().Context(), "error building service snapshots during fixup",
+			"blueprint_id", blueprintEntry.Id,
+			"error", err.Error())
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to build compliance snapshots during fixup")
+	}
+
+	var serviceSnapshotsJSON json.RawMessage
+	if serviceSnapshots != nil {
+		serviceSnapshotsJSON, err = json.Marshal(serviceSnapshots)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to marshal service snapshots")
+		}
+	}
+
+	versionId := uuid.New()
+	err = h.server.db.UpdateBlueprint(ctx.Request().Context(), versionId, blueprintEntry.Id, userID.OrgID(), blueprintRequest.Name, desc, body, serviceSnapshotsJSON)
+	if err != nil {
+		slog.ErrorContext(ctx.Request().Context(), "error updating blueprint in db during fixup",
+			"error", err)
 		if errors.Is(err, db.ErrBlueprintNotFound) {
 			return echo.NewHTTPError(http.StatusNotFound, err)
 		}
 		return err
 	}
+
 	return ctx.NoContent(http.StatusCreated)
 }