feat: implement T14, T10 — enforcement middleware, LLDAP adapter

- T14: Unsupported feature registry with 7 pre-registered profile boundaries
- T10: LLDAP adapter implementing UserRepository; validator-gated reads

24 tests pass, go vet clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-13 01:45:21 +01:00
parent 22f7a7dc50
commit b0adbc5daa
8 changed files with 1262 additions and 3 deletions

View File

@@ -0,0 +1,27 @@
package domain
import "context"
// UserRepository is the adapter interface between the OIDC layer and the identity directory.
// The server/ layer sees ONLY this interface — no LDAP types leak through.
type UserRepository interface {
// LookupUser retrieves the canonical User record for the given username.
// Returns an error wrapping ErrUserNotFound when the user does not exist.
LookupUser(ctx context.Context, username string) (*User, error)
// LookupGroups retrieves all groups the user (identified by their LDAP DN) belongs to.
LookupGroups(ctx context.Context, userDN string) ([]Group, error)
// ValidatePassword returns true when the username and password are correct.
// Returns false (not an error) for wrong credentials; errors indicate
// infrastructure failures (network, config, etc.).
ValidatePassword(ctx context.Context, username, password string) (bool, error)
}
// ErrUserNotFound is returned by UserRepository.LookupUser when the
// requested user does not exist in the directory.
const ErrUserNotFound = userNotFound("user not found")
type userNotFound string
func (e userNotFound) Error() string { return string(e) }