mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 18:01:37 +00:00
shankar0123
925523e06e
Audit 2026-05-10 Fix 13 Phase B — close MED-9. MED-4/5/6/7 deferred to v3.
MED-9: ship the OIDCProvider.Enabled boolean. Pre-fix, the only way
to take a provider offline during an incident was DELETE, which
breaks active user_oidc_provider FK references and orphans any
session that minted under the provider. Post-fix:
- Migration 000042 adds enabled BOOLEAN NOT NULL DEFAULT TRUE.
Default-true means existing pre-migration rows are all enabled
post-deploy; no breaking-change window.
- internal/auth/oidc/domain/types.go::OIDCProvider.Enabled ships
the domain field with JSON tag 'enabled'.
- Repository read/write paths (List, Get, GetByName, Create, Update)
all carry the column.
- internal/auth/oidc/service.go::HandleAuthRequest rejects with
the new ErrProviderDisabled sentinel when cfgRow.Enabled=false.
- cmd/server/main.go::oidcProvidersListAdapter.List filters
disabled providers before constructing OIDCProviderInfo so the
LoginPage's 'Sign in with X' buttons never render for offline
IdPs.
- Defense-in-depth: the ErrProviderDisabled service-layer check
is the guard for direct API / MCP / CLI callers that bypass the
GUI.
Regression test: internal/auth/oidc/provider_enabled_test.go warms
the entry cache via a successful HandleAuthRequest, flips
cfgRow.Enabled=false on the cached entry, then asserts the next call
returns ErrProviderDisabled (errors.Is). Test fixtures (newValidProvider,
makeProvider) updated to set Enabled: true so existing tests stay
green.
Operators can toggle Enabled today via the existing PUT
/api/v1/auth/oidc/providers/{id} body field. A dedicated GUI
toggle on OIDCProviderDetailPage and a single-purpose PUT-just-enabled
endpoint are deferred to the v3 GUI-polish bundle — the load-bearing
wire is in place now.
MED-4 (GUI advanced fields on edit), MED-5 (POST .../test endpoint
+ button), MED-6 (JWKS auto-refresh on cache-miss), MED-7 (JWKS
health endpoint + GUI panel): DEFERRED to v3 with explicit
annotations in the audit doc. Workarounds: MED-4 fields are
PUT-editable via curl/MCP; MED-5 → call refresh post-create;
MED-6 → call refresh manually on key rotation.
Refs: cowork/auth-bundles-audit-2026-05-10.md MED-4, MED-5, MED-6,
MED-7, MED-9
Spec: cowork/auth-bundles-fixes-2026-05-10/13-med-bundle.md Phase B
40 lines
1.5 KiB
Go
40 lines
1.5 KiB
Go
package oidc
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"testing"
|
|
)
|
|
|
|
// Audit 2026-05-10 MED-9 closure — pin the disabled-provider behavior.
|
|
// HandleAuthRequest must reject pre-login creation with
|
|
// ErrProviderDisabled when the operator has flipped Enabled=false. The
|
|
// LoginPage's AuthInfo provider list filters disabled providers at the
|
|
// adapter (cmd/server/main.go::oidcProvidersListAdapter.List) so the
|
|
// button doesn't render in the first place; ErrProviderDisabled is the
|
|
// defense-in-depth guard for direct API / MCP / CLI callers.
|
|
|
|
func TestService_HandleAuthRequest_DisabledProvider_RejectsWithErrProviderDisabled(t *testing.T) {
|
|
mockIdP := newMockIdP(t)
|
|
svc, _ := newServiceWithProvider(t, mockIdP.URL(), "op-disabled")
|
|
|
|
// Warm the entry cache via a successful HandleAuthRequest (this runs
|
|
// real discovery against mockIdP), then flip cfgRow.Enabled to false
|
|
// to simulate the operator toggling the provider offline. The next
|
|
// HandleAuthRequest hits the disabled-check before the cached entry
|
|
// is reused.
|
|
if _, _, _, err := svc.HandleAuthRequest(context.Background(), "op-disabled"); err != nil {
|
|
t.Fatalf("warm HandleAuthRequest: %v", err)
|
|
}
|
|
if entry, ok := svc.cache["op-disabled"]; ok && entry.cfgRow != nil {
|
|
entry.cfgRow.Enabled = false
|
|
} else {
|
|
t.Fatal("expected cache entry for op-disabled after warmup")
|
|
}
|
|
|
|
_, _, _, err := svc.HandleAuthRequest(context.Background(), "op-disabled")
|
|
if !errors.Is(err, ErrProviderDisabled) {
|
|
t.Errorf("HandleAuthRequest(disabled provider) err = %v; want ErrProviderDisabled", err)
|
|
}
|
|
}
|