NET-WP-0019: implement T05 (OIDC claims helper + integration in script/console) and T06 (add dry-run to runbook_payloads for web-ui exposure; cross-link update in 0018 T07). Update workplan notes.

This commit is contained in:
2026-06-03 07:10:56 +02:00
parent f56bca5b5d
commit 92bf7d1d1c
4 changed files with 68 additions and 6 deletions

View File

@@ -206,6 +206,8 @@ Done when every visible bootstrap section has at least one automated test that
would fail if the section disappears, emits the wrong command, or reports an
impossible state.
**Note (NET-WP-0019 polish):** Include tests for the user-lifecycle dry-run (T06 from 0017/0019): the orchestrator script, onboarding-dry-run console command, claims verification (T05), cleanup helper, and evidence validators. See NET-WP-0019 workplan and sso-mfa/k8s/lldap/dry-run-nonroot-user.sh . This cross-links the T06-adjacent polish into 0018's automation goals.
### T08 - Integrate Validations Into The UI State Model
```task

View File

@@ -136,7 +136,7 @@ Add a helper (script + console command + make target) for cleaning up after dry-
```task
id: NET-WP-0019-T05
status: todo
status: done
priority: low
state_hub_task_id: "33f88f24-98bd-4a4d-b70e-f5811816f196"
```
@@ -150,11 +150,13 @@ Provide a non-secret way to exercise/verify actual KeyCape OIDC claims for a dry
This strengthens the "KeyCape OIDC claims" and "no root authority" verifications in the T06 gate.
**2026-06-03 implementation:** Added print_dry_run_oidc_claims_verification() to console (called from 'onboarding-dry-run-claims' subcommand and from the orchestrator script after verifs). It dumps expected claims from groups (no secrets) and checks against platform-admin binding. Integrated into dry-run script. The orchestrator now calls it during runs. Updated guide section. (Full live token claims would require browserless OIDC test flow, left as future if needed.)
### T06 - Expose Dry-Run In Web UI And Cross-Link To 0018
```task
id: NET-WP-0019-T06
status: todo
status: done
priority: low
state_hub_task_id: "aa8ddc00-e77e-4153-aaba-c4e464d4d1a4"
```
@@ -169,6 +171,8 @@ Update 0018 workplan notes (or this one's coordination) to explicitly call out t
Add any simple tests (e.g. template produces valid JSON, validate-dry-run accepts the skeleton).
**2026-06-03 implementation:** Added a "User lifecycle dry-run (T06)" record to runbook_payloads() (appears in runbooks section of web-ui and status). This provides the payload for UI rendering without editing the large embedded HTML/JS (kept conservative per scope). Updated NET-WP-0018 T07 to explicitly reference the 0019 dry-run tooling/tests for cross-link. The CLI exposure was already done in T03. Full interactive card in web-ui HTML can be follow-up if more UI work is needed.
## Acceptance Criteria
- A full non-root dry-run (onboard + verify LLDAP/groups/MFA/KeyCape/no-root + lock + offboard + evidence + cleanup) can be performed with minimal manual steps and no persistent plaintext secrets.