stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/authority/pack-rbac-roles-and-cli-profiles.md

2.8 KiB
Raw Blame History

Pack RBAC Roles and CLI Profiles

Module

Authority

Status

IMPLEMENTED

Description

Five Task Pack RBAC roles (pack-viewer, pack-operator, pack-publisher, pack-approver, pack-admin) with deterministic scope bundles, authorization policy helper (AddPacksResourcePolicies), and CLI profiles for role-based token acquisition.

Implementation Details

  • Resource Server Policies: src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOpsResourceServerPolicies.cs -- includes AddPacksResourcePolicies that registers authorization policies for each Pack RBAC role with deterministic scope bundles.
  • Authorization Policy Builder Extensions: src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOpsAuthorizationPolicyBuilderExtensions.cs -- RequireScope and RequireAnyScope extension methods used by pack policies.
  • Scopes: src/Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsScopes.cs -- defines pack-specific scopes (packs:read, packs:execute, packs:publish, packs:approve, packs:admin).
  • Claim Types: src/Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsClaimTypes.cs -- custom claim types including pack role claims.
  • Auth Client (CLI Profiles): src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsAuthClientOptions.cs -- CLI profile configuration specifying the scope bundle for each role.
  • Token Client: src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsTokenClient.cs -- acquires tokens with the correct scope bundle for the configured CLI profile/role.
  • File Token Cache: src/Authority/StellaOps.Authority/StellaOps.Auth.Client/FileTokenCache.cs -- persists per-profile tokens to disk for CLI session continuity.
  • Role Repository: src/Authority/__Libraries/StellaOps.Authority.Persistence/Postgres/Repositories/RoleRepository.cs -- stores role definitions including pack roles.
  • Tests: src/Authority/__Tests/StellaOps.Authority.Persistence.Tests/RoleBasedAccessTests.cs, RoleRepositoryTests.cs

E2E Test Plan

  • Register the five pack RBAC roles and verify each has the correct deterministic scope bundle (e.g., pack-viewer gets packs:read only)
  • Authenticate as pack-viewer and attempt to publish a pack; verify access is denied with 403
  • Authenticate as pack-publisher and verify publishing is allowed but approval is denied
  • Authenticate as pack-admin and verify all pack operations are allowed
  • Configure a CLI profile with the pack-operator role and verify StellaOpsTokenClient requests the correct scope set
  • Verify FileTokenCache stores the profile-specific token and a different profile does not reuse it
  • Verify the AddPacksResourcePolicies helper registers all five policies in the ASP.NET authorization system