feat(auth): authorization catalogues + Principal builder skeleton (ADR-0025)
CI / check (pull_request) Failing after 28s
CI / commits (pull_request) Failing after 25s
CI / scan (pull_request) Failing after 56s
CI / a11y (pull_request) Failing after 33s
CI / perf (pull_request) Failing after 47s
Docs site / build (pull_request) Failing after 26s
CI / check (pull_request) Failing after 28s
CI / commits (pull_request) Failing after 25s
CI / scan (pull_request) Failing after 56s
CI / a11y (pull_request) Failing after 33s
CI / perf (pull_request) Failing after 47s
Docs site / build (pull_request) Failing after 26s
Per ADR-0025's implementation phasing, lands the closed-set catalogues + the OIDC-callback hook that composes the session-resident Principal. No new guards yet. - libs/shared/auth: framework-agnostic lib hosting authorization.types.ts (4 privileges + 24 functional roles + 6 scope kinds + Principal type) and entra-group-to-role.ts (validated GUID -> slug resolver). 17 unit tests against the catalogues + resolver contracts. - BFF: PrincipalBuilder composes the three axes once at sign-in; ScopeResolver seam (StubScopeResolver returns unrestricted in v1, replaced by a Prisma-backed implementation when ADR-0026's user_scopes table lands). 19 persona-driven tests covering the test tenant's full provisioning + edge cases (unknown privilege drift, unknown group GUID, empty permissions). - AuthService extracts the Entra "groups" claim; AuthenticatedUser grows the groups: readonly string[] field. - SessionEstablisher builds + persists the principal alongside the legacy user shape (additive — guards consuming user.oid unchanged). - ENTRA_GROUP_MAP_PATH env var + load-entra-group-map.ts read the tenant-private map from infra/<env>-tenant.entra.json (gitignored; .example.json committed with the schema). - ADR-0025 path references updated from libs/feature/auth (Angular-scoped, scope:portal-shell) to libs/shared/auth (consumable by both BFF and SPA). - notes/entra-groups-claim-activation.md: operator runbook for the "Token configuration -> Add groups claim" step in the Entra admin centre. Test plan: - pnpm nx affected -t lint test build : 13 projects green (497 BFF tests + 17 shared-auth tests + 1 shared-util test + full lint + full build).
This commit is contained in:
@@ -0,0 +1,24 @@
|
||||
# shared-auth
|
||||
|
||||
Framework-agnostic authorization primitives shared across `portal-bff` and
|
||||
`portal-shell` per [ADR-0025](../../../docs/decisions/0025-authorization-model-privileges-roles-scopes.md):
|
||||
|
||||
- **Catalogues** (`authorization.types.ts`) — closed-set lists of the four
|
||||
privileges (`Portal.*` Entra app roles), the 24 functional roles
|
||||
(`apf-role-*` Entra security groups), and the six scope kinds. Adding an
|
||||
entry is an ADR amendment, not a code change in isolation.
|
||||
- **`Principal` type** — the session-resident shape consumed by route
|
||||
guards (`@RequirePrivilege`, `@RequireRole`, `@RequireScope`) and projected
|
||||
to the AI service's flat `roles[]` contract.
|
||||
- **`EntraGroupToRoleResolver`** — turns the tenant-specific Entra group
|
||||
GUIDs carried in the OIDC `groups` claim into the catalogue's role slugs.
|
||||
Configured at boot from `infra/<env>-tenant.entra.json` (gitignored —
|
||||
GUIDs are tenant-private).
|
||||
|
||||
## Building
|
||||
|
||||
Run `pnpm nx build shared-auth` to build the library.
|
||||
|
||||
## Running unit tests
|
||||
|
||||
Run `pnpm nx test shared-auth` to execute the unit tests via [Vitest](https://vitest.dev/).
|
||||
Reference in New Issue
Block a user