feat: add variable protection duration with admin-configurable max limit

Replace checkbox protection toggle with a dropdown that allows users to
select protection duration (1 hour, 1 day, 2 days, 7 days, forever).
The admin can now configure a maximum allowed protection duration to
prevent abuse.

- Change protectionRenewalDurationMinutes to protectionMaxDurationMinutes
- Add protectionDurationMinutes parameter to create/update clone APIs
- Update UI to use dropdown for protection duration selection
- Update swagger specs with new API parameters
- Adjust default protection duration from 7 days to 1 day

Author: claude

engine/api/swagger-spec/dblab_openapi.yaml

@@ -1516,6 +1516,14 @@ components:
           type: array
           items:
             $ref: '#/components/schemas/Clone'
+        protectionLeaseDurationMinutes:
+          type: integer
+          format: int64
+          description: Default protection lease duration in minutes
+        protectionMaxDurationMinutes:
+          type: integer
+          format: int64
+          description: Maximum allowed protection duration in minutes
     Retrieving:
       type: object
       properties:
@@ -1666,10 +1674,10 @@ components:
           type: integer
           format: int64
           description: Protection lease duration in minutes
-        protectionRenewalDurationMinutes:
+        protectionMaxDurationMinutes:
           type: integer
           format: int64
-          description: Protection renewal duration in minutes
+          description: Maximum allowed protection duration in minutes
     CreateClone:
       type: object
       properties:
@@ -1685,6 +1693,10 @@ components:
         protected:
           type: boolean
           default:
+        protectionDurationMinutes:
+          type: integer
+          format: int64
+          description: Protection duration in minutes. 0 means forever, omit for default duration.
         db:
           type: object
           properties:
@@ -1715,10 +1727,10 @@ components:
         protected:
           type: boolean
           default: false
-        renewLease:
-          type: boolean
-          default: false
-          description: When true, renews the protection lease for the clone
+        protectionDurationMinutes:
+          type: integer
+          format: int64
+          description: Protection duration in minutes. 0 means forever, omit for default duration.
     StartObservationRequest:
       type: object
       properties:

engine/api/swagger-spec/dblab_server_swagger.yaml

@@ -947,6 +947,14 @@ components:
           type: "array"
           items:
             $ref: "#/components/schemas/Clone"
+        protectionLeaseDurationMinutes:
+          type: "integer"
+          format: "int64"
+          description: "Default protection lease duration in minutes"
+        protectionMaxDurationMinutes:
+          type: "integer"
+          format: "int64"
+          description: "Maximum allowed protection duration in minutes"
 
     Retrieving:
       type: "object"
@@ -1101,10 +1109,10 @@ components:
           type: "integer"
           format: "int64"
           description: "Protection lease duration in minutes"
-        protectionRenewalDurationMinutes:
+        protectionMaxDurationMinutes:
           type: "integer"
           format: "int64"
-          description: "Protection renewal duration in minutes"
+          description: "Maximum allowed protection duration in minutes"
 
     CreateClone:
       type: "object"
@@ -1119,6 +1127,10 @@ components:
         protected:
           type: "boolean"
           default: false
+        protectionDurationMinutes:
+          type: "integer"
+          format: "int64"
+          description: "Protection duration in minutes. 0 means forever, omit for default duration."
         db:
           type: "object"
           properties:
@@ -1148,10 +1160,10 @@ components:
         protected:
           type: "boolean"
           default: false
-        renewLease:
-          type: "boolean"
-          default: false
-          description: "When true, renews the protection lease for the clone"
+        protectionDurationMinutes:
+          type: "integer"
+          format: "int64"
+          description: "Protection duration in minutes. 0 means forever, omit for default duration."
 
     StartObservationRequest:
       type: "object"

engine/configs/config.example.logical_generic.yml

@@ -146,8 +146,8 @@ retrieval:  # Data retrieval: initial sync and ongoing updates. Two methods:
 cloning:
   accessHost: "localhost" # Host that will be specified in database connection info for all clones (only used to inform users)
   maxIdleMinutes: 120 # Automatically delete clones after the specified minutes of inactivity; 0 - disable automatic deletion
-  protectionLeaseDurationMinutes: 10080 # Clone protection lease duration in minutes (default: 7 days); 0 - infinite protection
-  protectionRenewalDurationMinutes: 4320 # Renewal duration in minutes (default: 3 days); 0 - use initial duration
+  protectionLeaseDurationMinutes: 1440 # Default protection duration in minutes (default: 1 day); 0 - infinite protection
+  protectionMaxDurationMinutes: 10080 # Maximum allowed protection duration in minutes (default: 7 days); 0 - no limit
   protectionExpiryWarningMinutes: 1440 # Send warning webhook N minutes before expiry (default: 24 hours)
 
 diagnostic:

engine/configs/config.example.logical_rds_iam.yml

@@ -146,8 +146,8 @@ retrieval:  # Data retrieval: initial sync and ongoing updates. Two methods:
 cloning:
   accessHost: "localhost" # Host that will be specified in database connection info for all clones (only used to inform users)
   maxIdleMinutes: 120 # Automatically delete clones after the specified minutes of inactivity; 0 - disable automatic deletion
-  protectionLeaseDurationMinutes: 10080 # Clone protection lease duration in minutes (default: 7 days); 0 - infinite protection
-  protectionRenewalDurationMinutes: 4320 # Renewal duration in minutes (default: 3 days); 0 - use initial duration
+  protectionLeaseDurationMinutes: 1440 # Default protection duration in minutes (default: 1 day); 0 - infinite protection
+  protectionMaxDurationMinutes: 10080 # Maximum allowed protection duration in minutes (default: 7 days); 0 - no limit
   protectionExpiryWarningMinutes: 1440 # Send warning webhook N minutes before expiry (default: 24 hours)
 
 diagnostic:

engine/configs/config.example.physical_generic.yml

@@ -114,8 +114,8 @@ retrieval:  # Data retrieval: initial sync and ongoing updates. Two methods:
 cloning:
   accessHost: "localhost" # Host that will be specified in database connection info for all clones (only used to inform users)
   maxIdleMinutes: 120 # Automatically delete clones after the specified minutes of inactivity; 0 - disable automatic deletion
-  protectionLeaseDurationMinutes: 10080 # Clone protection lease duration in minutes (default: 7 days); 0 - infinite protection
-  protectionRenewalDurationMinutes: 4320 # Renewal duration in minutes (default: 3 days); 0 - use initial duration
+  protectionLeaseDurationMinutes: 1440 # Default protection duration in minutes (default: 1 day); 0 - infinite protection
+  protectionMaxDurationMinutes: 10080 # Maximum allowed protection duration in minutes (default: 7 days); 0 - no limit
   protectionExpiryWarningMinutes: 1440 # Send warning webhook N minutes before expiry (default: 24 hours)
 
 diagnostic:

engine/configs/config.example.physical_pgbackrest.yml

@@ -144,8 +144,8 @@ retrieval:  # Data retrieval: initial sync and ongoing updates. Two methods:
 cloning:
   accessHost: "localhost" # Host that will be specified in database connection info for all clones (only used to inform users)
   maxIdleMinutes: 120 # Automatically delete clones after the specified minutes of inactivity; 0 - disable automatic deletion
-  protectionLeaseDurationMinutes: 10080 # Clone protection lease duration in minutes (default: 7 days); 0 - infinite protection
-  protectionRenewalDurationMinutes: 4320 # Renewal duration in minutes (default: 3 days); 0 - use initial duration
+  protectionLeaseDurationMinutes: 1440 # Default protection duration in minutes (default: 1 day); 0 - infinite protection
+  protectionMaxDurationMinutes: 10080 # Maximum allowed protection duration in minutes (default: 7 days); 0 - no limit
   protectionExpiryWarningMinutes: 1440 # Send warning webhook N minutes before expiry (default: 24 hours)
 
 diagnostic:

engine/configs/config.example.physical_walg.yml

@@ -117,8 +117,8 @@ retrieval:  # Data retrieval: initial sync and ongoing updates. Two methods:
 cloning:
   accessHost: "localhost" # Host that will be specified in database connection info for all clones (only used to inform users)
   maxIdleMinutes: 120 # Automatically delete clones after the specified minutes of inactivity; 0 - disable automatic deletion
-  protectionLeaseDurationMinutes: 10080 # Clone protection lease duration in minutes (default: 7 days); 0 - infinite protection
-  protectionRenewalDurationMinutes: 4320 # Renewal duration in minutes (default: 3 days); 0 - use initial duration
+  protectionLeaseDurationMinutes: 1440 # Default protection duration in minutes (default: 1 day); 0 - infinite protection
+  protectionMaxDurationMinutes: 10080 # Maximum allowed protection duration in minutes (default: 7 days); 0 - no limit
   protectionExpiryWarningMinutes: 1440 # Send warning webhook N minutes before expiry (default: 24 hours)
 
 diagnostic:

engine/internal/cloning/base.go

@@ -39,11 +39,11 @@ const (
 
 // Config contains a cloning configuration.
 type Config struct {
-	MaxIdleMinutes                   uint   `yaml:"maxIdleMinutes"`
-	AccessHost                       string `yaml:"accessHost"`
-	ProtectionLeaseDurationMinutes   uint   `yaml:"protectionLeaseDurationMinutes"`
-	ProtectionRenewalDurationMinutes uint   `yaml:"protectionRenewalDurationMinutes"`
-	ProtectionExpiryWarningMinutes   uint   `yaml:"protectionExpiryWarningMinutes"`
+	MaxIdleMinutes                 uint   `yaml:"maxIdleMinutes"`
+	AccessHost                     string `yaml:"accessHost"`
+	ProtectionLeaseDurationMinutes uint   `yaml:"protectionLeaseDurationMinutes"`
+	ProtectionMaxDurationMinutes   uint   `yaml:"protectionMaxDurationMinutes"`
+	ProtectionExpiryWarningMinutes uint   `yaml:"protectionExpiryWarningMinutes"`
 }
 
 // Base provides cloning service.
@@ -181,7 +181,7 @@ func (c *Base) CreateClone(cloneRequest *types.CloneCreateRequest) (*models.Clon
 
 	var protectedTill *models.LocalTime
 	if cloneRequest.Protected {
-		protectedTill = c.calculateInitialProtectionTime()
+		protectedTill = c.calculateProtectionTime(cloneRequest.ProtectionDurationMinutes)
 	}
 
 	clone := &models.Clone{
@@ -280,10 +280,10 @@ func (c *Base) fillCloneSession(cloneID string, session *resources.Session) {
 		clone.DB.Host, clone.DB.Port, clone.DB.Username, clone.DB.DBName)
 
 	clone.Metadata = models.CloneMetadata{
-		CloningTime:                      w.TimeStartedAt.Sub(w.TimeCreatedAt).Seconds(),
-		MaxIdleMinutes:                   c.config.MaxIdleMinutes,
-		ProtectionLeaseDurationMinutes:   c.config.ProtectionLeaseDurationMinutes,
-		ProtectionRenewalDurationMinutes: c.config.ProtectionRenewalDurationMinutes,
+		CloningTime:                    w.TimeStartedAt.Sub(w.TimeCreatedAt).Seconds(),
+		MaxIdleMinutes:                 c.config.MaxIdleMinutes,
+		ProtectionLeaseDurationMinutes: c.config.ProtectionLeaseDurationMinutes,
+		ProtectionMaxDurationMinutes:   c.config.ProtectionMaxDurationMinutes,
 	}
 }
 
@@ -464,16 +464,12 @@ func (c *Base) UpdateClone(id string, patch types.CloneUpdateRequest) (*models.C
 
 	c.cloneMutex.Lock()
 
-	if patch.RenewLease && w.Clone.Protected {
-		w.Clone.ProtectedTill = c.calculateRenewalTime()
-	} else if patch.Protected != w.Clone.Protected {
-		w.Clone.Protected = patch.Protected
-
-		if patch.Protected {
-			w.Clone.ProtectedTill = c.calculateInitialProtectionTime()
-		} else {
-			w.Clone.ProtectedTill = nil
-		}
+	if patch.Protected {
+		w.Clone.Protected = true
+		w.Clone.ProtectedTill = c.calculateProtectionTime(patch.ProtectionDurationMinutes)
+	} else {
+		w.Clone.Protected = false
+		w.Clone.ProtectedTill = nil
 	}
 
 	clone = w.Clone
@@ -484,29 +480,34 @@ func (c *Base) UpdateClone(id string, patch types.CloneUpdateRequest) (*models.C
 	return clone, nil
 }
 
-// calculateInitialProtectionTime calculates the protection expiry time for a new protection lease.
-func (c *Base) calculateInitialProtectionTime() *models.LocalTime {
-	if c.config.ProtectionLeaseDurationMinutes == 0 {
-		return nil
+// calculateProtectionTime calculates the protection expiry time based on the requested duration.
+// If durationMinutes is nil, uses the default from config.
+// If durationMinutes is 0, returns nil (infinite protection) unless max duration is configured.
+// If max duration is configured, the duration is capped at the max.
+func (c *Base) calculateProtectionTime(durationMinutes *uint) *models.LocalTime {
+	var minutes uint
+
+	if durationMinutes != nil {
+		minutes = *durationMinutes
+	} else {
+		minutes = c.config.ProtectionLeaseDurationMinutes
 	}
 
-	expiry := time.Now().Add(time.Duration(c.config.ProtectionLeaseDurationMinutes) * time.Minute)
+	maxMinutes := c.config.ProtectionMaxDurationMinutes
 
-	return models.NewLocalTime(expiry)
-}
-
-// calculateRenewalTime calculates the protection expiry time for a lease renewal.
-func (c *Base) calculateRenewalTime() *models.LocalTime {
-	renewalMinutes := c.config.ProtectionRenewalDurationMinutes
-	if renewalMinutes == 0 {
-		renewalMinutes = c.config.ProtectionLeaseDurationMinutes
+	if minutes == 0 {
+		if maxMinutes > 0 {
+			minutes = maxMinutes
+		} else {
+			return nil
+		}
 	}
 
-	if renewalMinutes == 0 {
-		return nil
+	if maxMinutes > 0 && minutes > maxMinutes {
+		minutes = maxMinutes
 	}
 
-	expiry := time.Now().Add(time.Duration(renewalMinutes) * time.Minute)
+	expiry := time.Now().Add(time.Duration(minutes) * time.Minute)
 
 	return models.NewLocalTime(expiry)
 }
@@ -644,11 +645,11 @@ func (c *Base) ResetClone(cloneID string, resetOptions types.ResetCloneRequest)
 func (c *Base) GetCloningState() models.Cloning {
 	clones := c.GetClones()
 	cloning := models.Cloning{
-		ExpectedCloningTime:              c.getExpectedCloningTime(),
-		Clones:                           clones,
-		NumClones:                        uint64(len(clones)),
-		ProtectionLeaseDurationMinutes:   c.config.ProtectionLeaseDurationMinutes,
-		ProtectionRenewalDurationMinutes: c.config.ProtectionRenewalDurationMinutes,
+		ExpectedCloningTime:            c.getExpectedCloningTime(),
+		Clones:                         clones,
+		NumClones:                      uint64(len(clones)),
+		ProtectionLeaseDurationMinutes: c.config.ProtectionLeaseDurationMinutes,
+		ProtectionMaxDurationMinutes:   c.config.ProtectionMaxDurationMinutes,
 	}
 
 	return cloning

engine/pkg/client/dblabapi/types/clone.go

@@ -7,19 +7,20 @@ package types
 
 // CloneCreateRequest represents clone params of a create request.
 type CloneCreateRequest struct {
-	ID        string                     `json:"id"`
-	Protected bool                       `json:"protected"`
-	DB        *DatabaseRequest           `json:"db"`
-	Snapshot  *SnapshotCloneFieldRequest `json:"snapshot"`
-	ExtraConf map[string]string          `json:"extra_conf"`
-	Branch    string                     `json:"branch"`
-	Revision  int                        `json:"-"`
+	ID                        string                     `json:"id"`
+	Protected                 bool                       `json:"protected"`
+	ProtectionDurationMinutes *uint                      `json:"protectionDurationMinutes,omitempty"`
+	DB                        *DatabaseRequest           `json:"db"`
+	Snapshot                  *SnapshotCloneFieldRequest `json:"snapshot"`
+	ExtraConf                 map[string]string          `json:"extra_conf"`
+	Branch                    string                     `json:"branch"`
+	Revision                  int                        `json:"-"`
 }
 
 // CloneUpdateRequest represents params of an update request.
 type CloneUpdateRequest struct {
-	Protected  bool `json:"protected"`
-	RenewLease bool `json:"renewLease,omitempty"`
+	Protected                 bool  `json:"protected"`
+	ProtectionDurationMinutes *uint `json:"protectionDurationMinutes,omitempty"`
 }
 
 // DatabaseRequest represents database params of a clone request.

engine/pkg/models/clone.go

@@ -51,12 +51,12 @@ func (c *Clone) ProtectionExpiresIn() time.Duration {
 
 // CloneMetadata contains fields describing a clone model.
 type CloneMetadata struct {
-	CloneDiffSize                    uint64  `json:"cloneDiffSize"`
-	LogicalSize                      uint64  `json:"logicalSize"`
-	CloningTime                      float64 `json:"cloningTime"`
-	MaxIdleMinutes                   uint    `json:"maxIdleMinutes"`
-	ProtectionLeaseDurationMinutes   uint    `json:"protectionLeaseDurationMinutes,omitempty"`
-	ProtectionRenewalDurationMinutes uint    `json:"protectionRenewalDurationMinutes,omitempty"`
+	CloneDiffSize                  uint64  `json:"cloneDiffSize"`
+	LogicalSize                    uint64  `json:"logicalSize"`
+	CloningTime                    float64 `json:"cloningTime"`
+	MaxIdleMinutes                 uint    `json:"maxIdleMinutes"`
+	ProtectionLeaseDurationMinutes uint    `json:"protectionLeaseDurationMinutes,omitempty"`
+	ProtectionMaxDurationMinutes   uint    `json:"protectionMaxDurationMinutes,omitempty"`
 }
 
 // CloneView represents a view of clone model.