feat: implement T01-T04 — Go module, canonical model, LDAP validator, error taxonomy

- T01: Go module (keycape), full directory skeleton, Makefile, CI workflow
- T02: spec/canonical-model.yaml with 6 entities + Go domain types
- T03: spec/ldap-schema.yaml + validator binary with structural/semantic rules
- T04: Error taxonomy — 4 stable error types, JSON format, HTTP helpers

28 tests pass, go vet clean, go build clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-13 01:27:54 +01:00
parent f3b1cdcba4
commit 329e996619
21 changed files with 1992 additions and 0 deletions

View File

@@ -0,0 +1,68 @@
// Package domain contains the canonical identity model for KeyCape.
// This is the source of truth for all user, group, client, and MFA data.
// All provisioning, tests, and migrations derive from these types.
package domain
import "time"
// User is the canonical identity entity — source of truth for all user data.
type User struct {
ID string `yaml:"id" json:"id"`
Username string `yaml:"username" json:"username"`
DisplayName string `yaml:"displayName" json:"displayName"`
Email string `yaml:"email" json:"email"`
Enabled bool `yaml:"enabled" json:"enabled"`
Groups []string `yaml:"groups" json:"groups"`
Roles []string `yaml:"roles" json:"roles"`
MFAEnrollment *MFAEnrollment `yaml:"mfaEnrollment,omitempty" json:"mfaEnrollment,omitempty"`
LDAPAttributes map[string]string `yaml:"ldapAttributes,omitempty" json:"ldapAttributes,omitempty"`
}
// Group is a named collection of users.
type Group struct {
ID string `yaml:"id" json:"id"`
Name string `yaml:"name" json:"name"`
Description string `yaml:"description" json:"description"`
Members []string `yaml:"members" json:"members"`
}
// Role is a named permission set.
type Role struct {
ID string `yaml:"id" json:"id"`
Name string `yaml:"name" json:"name"`
Description string `yaml:"description" json:"description"`
}
// Client is a registered OIDC client (static in v0.1 — no dynamic registration).
type Client struct {
ClientID string `yaml:"clientId" json:"clientId"`
DisplayName string `yaml:"displayName" json:"displayName"`
RedirectURIs []string `yaml:"redirectUris" json:"redirectUris"`
AllowedScopes []string `yaml:"allowedScopes" json:"allowedScopes"`
GrantTypes []string `yaml:"grantTypes" json:"grantTypes"`
ClientType string `yaml:"clientType" json:"clientType"` // "confidential" | "public"
SecretRef string `yaml:"secretRef,omitempty" json:"secretRef,omitempty"`
}
// Membership links a user to a group.
type Membership struct {
UserID string `yaml:"userId" json:"userId"`
GroupID string `yaml:"groupId" json:"groupId"`
}
// MFAEnrollment records that a user has enrolled MFA via privacyIDEA.
type MFAEnrollment struct {
UserID string `yaml:"userId" json:"userId"`
Provider string `yaml:"provider" json:"provider"` // "privacyidea"
State string `yaml:"state" json:"state"` // "enabled" | "disabled" | "pending"
EnrolledAt time.Time `yaml:"enrolledAt,omitempty" json:"enrolledAt,omitempty"`
}
// Directory is the full canonical identity directory snapshot.
// Used for provisioning, validation, and migration operations.
type Directory struct {
Users []User `yaml:"users" json:"users"`
Groups []Group `yaml:"groups" json:"groups"`
Roles []Role `yaml:"roles" json:"roles"`
Clients []Client `yaml:"clients" json:"clients"`
}