package domain import "context" // UserRepository is the adapter interface between the OIDC layer and the identity directory. // The server/ layer sees ONLY this interface — no LDAP types leak through. type UserRepository interface { // LookupUser retrieves the canonical User record for the given username. // Returns an error wrapping ErrUserNotFound when the user does not exist. LookupUser(ctx context.Context, username string) (*User, error) // LookupGroups retrieves all groups the user (identified by their LDAP DN) belongs to. LookupGroups(ctx context.Context, userDN string) ([]Group, error) // ValidatePassword returns true when the username and password are correct. // Returns false (not an error) for wrong credentials; errors indicate // infrastructure failures (network, config, etc.). ValidatePassword(ctx context.Context, username, password string) (bool, error) // ListUsers returns all user records from the directory. // Used by migration and export tooling; not required for the OIDC flow. ListUsers(ctx context.Context) ([]User, error) } // ErrUserNotFound is returned by UserRepository.LookupUser when the // requested user does not exist in the directory. const ErrUserNotFound = userNotFound("user not found") type userNotFound string func (e userNotFound) Error() string { return string(e) }