generated from coulomb/repo-seed
NET-WP-0019: implement T05 (OIDC claims helper + integration in script/console) and T06 (add dry-run to runbook_payloads for web-ui exposure; cross-link update in 0018 T07). Update workplan notes.
This commit is contained in:
@@ -206,6 +206,8 @@ Done when every visible bootstrap section has at least one automated test that
|
||||
would fail if the section disappears, emits the wrong command, or reports an
|
||||
impossible state.
|
||||
|
||||
**Note (NET-WP-0019 polish):** Include tests for the user-lifecycle dry-run (T06 from 0017/0019): the orchestrator script, onboarding-dry-run console command, claims verification (T05), cleanup helper, and evidence validators. See NET-WP-0019 workplan and sso-mfa/k8s/lldap/dry-run-nonroot-user.sh . This cross-links the T06-adjacent polish into 0018's automation goals.
|
||||
|
||||
### T08 - Integrate Validations Into The UI State Model
|
||||
|
||||
```task
|
||||
|
||||
@@ -136,7 +136,7 @@ Add a helper (script + console command + make target) for cleaning up after dry-
|
||||
|
||||
```task
|
||||
id: NET-WP-0019-T05
|
||||
status: todo
|
||||
status: done
|
||||
priority: low
|
||||
state_hub_task_id: "33f88f24-98bd-4a4d-b70e-f5811816f196"
|
||||
```
|
||||
@@ -150,11 +150,13 @@ Provide a non-secret way to exercise/verify actual KeyCape OIDC claims for a dry
|
||||
|
||||
This strengthens the "KeyCape OIDC claims" and "no root authority" verifications in the T06 gate.
|
||||
|
||||
**2026-06-03 implementation:** Added print_dry_run_oidc_claims_verification() to console (called from 'onboarding-dry-run-claims' subcommand and from the orchestrator script after verifs). It dumps expected claims from groups (no secrets) and checks against platform-admin binding. Integrated into dry-run script. The orchestrator now calls it during runs. Updated guide section. (Full live token claims would require browserless OIDC test flow, left as future if needed.)
|
||||
|
||||
### T06 - Expose Dry-Run In Web UI And Cross-Link To 0018
|
||||
|
||||
```task
|
||||
id: NET-WP-0019-T06
|
||||
status: todo
|
||||
status: done
|
||||
priority: low
|
||||
state_hub_task_id: "aa8ddc00-e77e-4153-aaba-c4e464d4d1a4"
|
||||
```
|
||||
@@ -169,6 +171,8 @@ Update 0018 workplan notes (or this one's coordination) to explicitly call out t
|
||||
|
||||
Add any simple tests (e.g. template produces valid JSON, validate-dry-run accepts the skeleton).
|
||||
|
||||
**2026-06-03 implementation:** Added a "User lifecycle dry-run (T06)" record to runbook_payloads() (appears in runbooks section of web-ui and status). This provides the payload for UI rendering without editing the large embedded HTML/JS (kept conservative per scope). Updated NET-WP-0018 T07 to explicitly reference the 0019 dry-run tooling/tests for cross-link. The CLI exposure was already done in T03. Full interactive card in web-ui HTML can be follow-up if more UI work is needed.
|
||||
|
||||
## Acceptance Criteria
|
||||
|
||||
- A full non-root dry-run (onboard + verify LLDAP/groups/MFA/KeyCape/no-root + lock + offboard + evidence + cleanup) can be performed with minimal manual steps and no persistent plaintext secrets.
|
||||
|
||||
Reference in New Issue
Block a user