Align release publisher scopes and preserve promotion submit context

2026-03-10 19:01:16 +02:00
parent f401a7182c
commit d93006a8fa
11 changed files with 365 additions and 9 deletions
--- a/src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard.Tests/StandardPluginBootstrapperTests.cs
+++ b/src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard.Tests/StandardPluginBootstrapperTests.cs
@@ -39,7 +39,8 @@ public class StandardPluginBootstrapperTests
                        ClientId = "stella-ops-ui",
                        DisplayName = "Stella Ops Console",
                        AllowedGrantTypes = "authorization_code refresh_token",
-                        AllowedScopes = $"openid profile {StellaOpsScopes.UiRead} {StellaOpsScopes.RegistryAdmin}",
+                        AllowedScopes =
+                            $"openid profile {StellaOpsScopes.UiRead} {StellaOpsScopes.RegistryAdmin} {StellaOpsScopes.ReleaseRead} {StellaOpsScopes.ReleaseWrite} {StellaOpsScopes.ReleasePublish}",
                        RedirectUris = "https://stella-ops.local/auth/callback https://stella-ops.local/auth/silent-refresh",
                        PostLogoutRedirectUris = "https://stella-ops.local/",
                        RequirePkce = true
@@ -69,6 +70,9 @@ public class StandardPluginBootstrapperTests
        var client = await clientStore.FindByClientIdAsync("stella-ops-ui", TestContext.Current.CancellationToken);
        Assert.NotNull(client);
        Assert.Contains(StellaOpsScopes.RegistryAdmin, client!.AllowedScopes);
+        Assert.Contains(StellaOpsScopes.ReleaseRead, client.AllowedScopes);
+        Assert.Contains(StellaOpsScopes.ReleaseWrite, client.AllowedScopes);
+        Assert.Contains(StellaOpsScopes.ReleasePublish, client.AllowedScopes);
        Assert.Contains("authorization_code", client.AllowedGrantTypes);
        Assert.True(client.RequirePkce);
        Assert.Equal("demo-prod", client.Properties[AuthorityClientMetadataKeys.Tenant]);
--- a/src/Authority/__Libraries/StellaOps.Authority.Persistence/Migrations/S001_demo_seed.sql
+++ b/src/Authority/__Libraries/StellaOps.Authority.Persistence/Migrations/S001_demo_seed.sql
@@ -91,7 +91,7 @@ VALUES
            'airgap:seal', 'airgap:status:read',
            'orch:read', 'analytics.read', 'advisory:read', 'vex:read', 'vexhub:read',
            'exceptions:read', 'exceptions:approve', 'aoc:verify', 'findings:read',
-            'release:read', 'scheduler:read', 'scheduler:operate',
+            'release:read', 'release:write', 'release:publish', 'scheduler:read', 'scheduler:operate',
            'notify.viewer', 'notify.operator', 'notify.admin', 'notify.escalate',
            'evidence:read',
            'export.viewer', 'export.operator', 'export.admin',