generated from coulomb/repo-seed
chore(workplan): NK-WP-0003 T04+T08 — testuser provisioned, pi-admin TOTP deferred
testuser fully provisioned in LLDAP + privacyIDEA (TOTP00007147 validated). pi-admin TOTP deferred: requires admin realm setup (SQLresolver), pi-manage has no enroll command, WebUI only works for resolver-backed users. T08 unblocked — proceed to KeyCape acceptance tests. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -163,7 +163,10 @@ state_hub_task_id: "9c9c1ec9-0cf5-4546-a83e-d74dbf3b27af"
|
|||||||
note: Done 2026-03-25 on RAILIANCE01. privacyIDEA pod Running, TLS certs issued,
|
note: Done 2026-03-25 on RAILIANCE01. privacyIDEA pod Running, TLS certs issued,
|
||||||
enckey + audit keys bootstrapped (privacyidea-enckey + privacyidea-auditkeys Secrets created),
|
enckey + audit keys bootstrapped (privacyidea-enckey + privacyidea-auditkeys Secrets created),
|
||||||
pi-admin + trigger-admin created, trigger-admin-rights policy created via REST API.
|
pi-admin + trigger-admin created, trigger-admin-rights policy created via REST API.
|
||||||
REMAINING: enroll TOTP MFA for pi-admin via https://pink.coulomb.social WebUI.
|
DEFERRED: pi-admin TOTP enrollment requires an admin realm (SQLresolver pointing to PI's
|
||||||
|
internal admin table) — pi-manage has no enroll command, WebUI token enrollment only works
|
||||||
|
for resolver-backed users. Admin MFA is production hardening; pi-admin auth works
|
||||||
|
password-only for now. Track as T09 hardening item.
|
||||||
```
|
```
|
||||||
|
|
||||||
Run credential bootstrap (injects privacyIDEA secrets + creates pi-admin/trigger-admin):
|
Run credential bootstrap (injects privacyIDEA secrets + creates pi-admin/trigger-admin):
|
||||||
@@ -269,6 +272,10 @@ note: Completed 2026-03-25. All 3 test packages pass (migration, negative, profi
|
|||||||
Tests run with: cd src && ~/go/bin/go test ./tests/... -v
|
Tests run with: cd src && ~/go/bin/go test ./tests/... -v
|
||||||
Results: ok keycape/tests/migration, ok keycape/tests/negative, ok keycape/tests/profile
|
Results: ok keycape/tests/migration, ok keycape/tests/negative, ok keycape/tests/profile
|
||||||
Note: tests use httptest.Server + mocks — no live cluster connection required.
|
Note: tests use httptest.Server + mocks — no live cluster connection required.
|
||||||
|
Test user provisioned: testuser / test.user@coulomb.social
|
||||||
|
TOTP serial TOTP00007147, seed KVQLHEJCTKCI3K7G2UIF54QUE5BNLBAQ
|
||||||
|
Validated: auth PASS via privacyIDEA /validate/check.
|
||||||
|
pi-admin TOTP deferred to T09 hardening.
|
||||||
```
|
```
|
||||||
|
|
||||||
Prove the full auth flow works:
|
Prove the full auth flow works:
|
||||||
|
|||||||
Reference in New Issue
Block a user