save checkpoint
This commit is contained in:
master
38
docs/features/checked/authority/authority-plugin-system.md
Normal file
38
docs/features/checked/authority/authority-plugin-system.md
Normal file
@@ -0,0 +1,38 @@
|
||||
# Authority Plugin System (LDAP, SAML, Custom Providers)
|
||||
|
||||
## Module
|
||||
Authority
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Extensible authentication with pluggable identity providers loaded at startup, supporting multiple authentication methods including Standard (username/password), LDAP, OIDC, SAML, and a Unified adapter.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Plugins/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Oidc/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Saml/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Unified/`
|
||||
- **Key Classes**:
|
||||
- `AuthorityPluginLoader` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Plugins/AuthorityPluginLoader.cs`) - discovers and loads plugin assemblies from disk at startup
|
||||
- `AuthorityPluginRegistrationSummary` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Plugins/AuthorityPluginRegistrationSummary.cs`) - captures loaded plugins, errors, and capabilities
|
||||
- `AuthorityPluginContracts` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/AuthorityPluginContracts.cs`) - `IAuthorityPlugin`, `IAuthorityPluginRegistrar` interfaces
|
||||
- `IdentityProviderContracts` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/IdentityProviderContracts.cs`) - `IAuthorityIdentityProviderPlugin`, credential validation, claims enrichment
|
||||
- `AuthoritySecretHasher` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/AuthoritySecretHasher.cs`) - pluggable secret hashing
|
||||
- `StandardIdentityProviderPlugin` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/StandardIdentityProviderPlugin.cs`) - built-in username/password plugin
|
||||
- `StandardPluginRegistrar` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/StandardPluginRegistrar.cs`) - Standard plugin registration
|
||||
- `StandardPluginBootstrapper` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/Bootstrap/StandardPluginBootstrapper.cs`) - bootstraps initial admin user
|
||||
- `StandardCredentialAuditLogger` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/Security/StandardCredentialAuditLogger.cs`) - audit logging for credential operations
|
||||
- `LdapIdentityProviderPlugin` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/LdapIdentityProviderPlugin.cs`) - LDAP identity provider
|
||||
- `OidcIdentityProviderPlugin` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Oidc/OidcIdentityProviderPlugin.cs`) - OIDC identity provider
|
||||
- `SamlIdentityProviderPlugin` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Saml/SamlIdentityProviderPlugin.cs`) - SAML identity provider
|
||||
- `AuthPluginAdapter` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Unified/AuthPluginAdapter.cs`) - unified adapter for multiple plugin types
|
||||
- **Interfaces**: `IAuthorityPlugin`, `IAuthorityPluginRegistrar`, `IAuthorityIdentityProviderPlugin` (in `AuthorityPluginContracts.cs`, `IdentityProviderContracts.cs`)
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Start the Authority server with Standard and LDAP plugins and verify `AuthorityPluginRegistrationSummary` shows both loaded successfully
|
||||
- [ ] Authenticate via `StandardIdentityProviderPlugin` using username/password and verify a token is issued
|
||||
- [ ] Remove a plugin from the plugins directory, restart, and verify `AuthorityPluginLoader` reports it as missing without crashing
|
||||
- [ ] Register a custom plugin implementing `IAuthorityIdentityProviderPlugin` and verify it is discovered and callable
|
||||
- [ ] Verify each plugin's `IAuthorityPluginRegistrar.Register` is called with the correct `AuthorityPluginRegistrationContext`
|
||||
- [ ] Verify credential audit: authenticate via Standard plugin and verify `StandardCredentialAuditLogger` records the login event
|
||||
- [ ] Load OIDC and SAML plugins simultaneously and verify each handles its respective protocol flow independently
|
||||
Reference in New Issue
Block a user