Add unit tests for SBOM ingestion and transformation
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Implement `SbomIngestServiceCollectionExtensionsTests` to verify the SBOM ingestion pipeline exports snapshots correctly. - Create `SbomIngestTransformerTests` to ensure the transformation produces expected nodes and edges, including deduplication of license nodes and normalization of timestamps. - Add `SbomSnapshotExporterTests` to test the export functionality for manifest, adjacency, nodes, and edges. - Introduce `VexOverlayTransformerTests` to validate the transformation of VEX nodes and edges. - Set up project file for the test project with necessary dependencies and configurations. - Include JSON fixture files for testing purposes.
This commit is contained in:
master
28
docs/notes/2025-11-03-authority-plugin-ldap-review.md
Normal file
28
docs/notes/2025-11-03-authority-plugin-ldap-review.md
Normal file
@@ -0,0 +1,28 @@
|
||||
# Authority Plugin LDAP Review — 2025-11-03
|
||||
|
||||
## Attendees
|
||||
- Auth Guild core (Authority Host Crew)
|
||||
- Security Guild (Identity Controls)
|
||||
- DevEx Docs Guild
|
||||
- Plugin Team 4 (Auth Libraries & Identity Providers)
|
||||
|
||||
## Agenda
|
||||
- Confirm LDAP plugin charter and offline/sovereign requirements.
|
||||
- Resolve outstanding decisions (audit mirror, mutual TLS, group mapping).
|
||||
- Capture follow-up implementation tasks and documentation deliverables.
|
||||
|
||||
## Discussion Summary
|
||||
1. **Audit mirror parity** — All provisioning flows must emit Mongo audit records even when LDAP is the write source. Records store actor, tenant, DN, operation, hashed secret reference, and correlation IDs matching Authority audit events.
|
||||
2. **Mutual TLS requirements** — Regulated installations (FIPS/eIDAS/GOST) require client certificate bindings. Plugin must accept secret-backed PFX stores, optional chain send, and deterministic trust-store configuration (`system` vs bundled roots). Runtime must fail fast when TLS is misconfigured.
|
||||
3. **Role mapping flexibility** — Deterministic regex mappings allow deriving canonical Authority roles from LDAP DNs without custom scripting. Regex capture groups map to `{role}` substitutions; evaluation order is deterministic (dictionary map → regex map) to preserve predictability.
|
||||
4. **Offline cache expectations** — Mongo-backed cache must record TTL and emit metrics when falling back to cached entries. Cache invalidation respects `cache.ttlSeconds` configuration.
|
||||
|
||||
## Follow-up Tasks
|
||||
- `PLG7.IMPL-001` — Scaffold plugin + tests, configuration binding (client cert, trust store, insecure toggle validation).
|
||||
- `PLG7.IMPL-002` — Implement credential store + mutual TLS enforcement with deterministic retry/backoff and structured logging.
|
||||
- `PLG7.IMPL-003` — Deliver claims enricher with regex mapping, cache layer, and associated tests/fixtures.
|
||||
- `PLG7.IMPL-004` — Implement client provisioning store with LDAP write toggles, Mongo audit mirror, and bootstrap validation.
|
||||
- `PLG7.IMPL-005` — Update developer guide, samples, and release notes with LDAP configuration guidance (mutual TLS, regex mapping, audit mirror).
|
||||
|
||||
## Next Checkpoint
|
||||
- Status review scheduled 2025-11-10 to assess scaffolding progress and mutual TLS handshake tests.
|
||||
Reference in New Issue
Block a user