feat(gui/oidc): Test Connection panel on create + edit forms (MED-5 GUI half)

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-14 04:20:24 +00:00

Audit 2026-05-11 Fix 09 closure. MED-5's backend dry-run endpoint
(POST /api/v1/auth/oidc/test, gated auth.oidc.create) shipped on
dev/auth-bundle-2 (commit b4b9879) but the GUI never called it —
authOIDCTestProvider in web/src/api/client.ts was dead code.

Operator gap before this fix: complete the create form blind, save,
then click 'Refresh' to discover whether the issuer URL worked.
Discovery failures left a broken provider row in the DB that had
to be deleted before retrying. The MED-5 backend exists to short-
circuit this — surface the dry-run result before commit.

New shared component web/src/pages/auth/OIDCTestConnectionPanel.tsx
calls authOIDCTestProvider against the live form state (issuer URL
+ client ID + parsed scopes) and renders a four-row status panel
inline:

* ✓/✗ Discovery fetched (with issuer-echo from the well-known doc)
* ✓/✗ JWKS reachable (with the discovered jwks_uri)
* ✓/⚠ Supported algs (warning glyph when the IdP advertises none —
  distinct from a discovery failure)
* ✓/· RFC 9207 iss-parameter advertised (informational · glyph
  rather than ✗ because the spec is SHOULD, not MUST)

Backend per-leg errors[] flow into an inline bullet list. A
top-level rectangle catches network/fetch failures separately.
The Run button is disabled when the issuer URL is empty or
whitespace-only. The component does NOT persist anything — safe
to run repeatedly before the operator clicks Save.

The panel is mounted in two places:

* OIDCProvidersPage create modal (between the form fields and the
  Create button) — short-circuits the blind-save footgun for new
  provider configs.
* OIDCProviderDetailPage edit form (between the field grid and
  the Save button) — load-bearing for verifying IdP rotations
  (Keycloak realm rename, Okta tenant move, certctl side-by-side
  hostname change) without committing first.

A testIDSuffix prop (default 'create' / 'edit') gives each mount
point a distinct data-testid namespace so both panels can coexist
on a hypothetical page that uses both without DOM-id collisions.

8 Vitest tests in OIDCTestConnectionPanel.test.tsx:

* RunButton — disabled until issuer URL is non-empty
* RunButton — also disabled when issuer URL is whitespace-only
* RunButton — enabled when issuer URL is non-empty
* HappyPath — all four primary checks render green with detail
  rows for authorization_url / token_url / userinfo_endpoint
  (asserts both the glyph contract AND the mocked POST body shape)
* FailurePath — discovery=false renders ✗ on discovery + ✗ on
  JWKS + ⚠ on empty supported algs + error list with backend
  per-leg messages
* IssParamFalse — load-bearing UX claim that the iss-parameter
  row renders · (informational), not ✗; body must contain the
  word 'informational' so operators understand it's not a failure
* FetchError — top-level error rectangle when the POST throws
* TestIDSuffix — same component mounted twice with different
  suffixes renders both without DOM-id collision

Verify gate:
* tsc --noEmit — clean
* vitest OIDCTestConnectionPanel.test.tsx — 8/8 pass
* vitest OIDCProvidersPage.test.tsx + OIDCProviderDetailPage.test.tsx
  — 38/38 pass (panel-mount in both pages does not regress
  existing tests because they don't trigger the test button)

Operator runbook: the four glyph meanings are documented inline on
the panel's subtitle. Audit doc annotation at
cowork/auth-bundles-audit-2026-05-10.md flips MED-5 from
'BACKEND CLOSED' to 'CLOSED' with the GUI-half annotation.

Refs cowork/auth-bundles-fixes-2026-05-11/09-med-oidc-test-connection-button.md.

This commit is contained in:

shankar0123

2026-05-11 11:52:26 +00:00

parent b8fac59200

commit 64ad8e525c

5 changed files with 434 additions and 0 deletions

									
										web/src/pages/auth/OIDCProvidersPage.tsx
									
		+11
		
												View File
												
				@@ -10,6 +10,7 @@ import {

				import { useAuthMe } from '../../hooks/useAuthMe';

				import PageHeader from '../../components/PageHeader';

				import ErrorState from '../../components/ErrorState';

				import OIDCTestConnectionPanel from './OIDCTestConnectionPanel';

				// =============================================================================

				// Bundle 2 Phase 8 — OIDCProvidersPage.

				@@ -313,6 +314,16 @@ function CreateProviderModal({ isOpen, onClose, onSuccess }: CreateProviderModal

				              </p>

				            )}

				          </div>

				          {/* Audit 2026-05-11 Fix 09 — Test Connection panel (MED-5 GUI half).

				              Dry-run the issuer URL + JWKS reachability + alg-downgrade defense

				              against MED-5's POST /api/v1/auth/oidc/test. Renders inline so the

				              operator sees the result before committing. */}

				          <OIDCTestConnectionPanel

				            issuerURL={form.issuer_url}

				            clientID={form.client_id}

				            scopes={form.scopes || []}

				            testIDSuffix="create"

				          />

				          <div className="flex justify-end gap-2 pt-3">

				            <button

				              type="button"