AgileWebs/thalos-dal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(thalos-dal): add provider-routed identity adapters

Browse Source
This commit is contained in:
José René White Enciso 2026-02-25 13:13:56 -06:00
parent 16e5e0a68a
commit 2d3f939e8f
15 changed files with 334 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/dal/identity-provider-boundaries.md
View File

@ -16,3 +16,7 @@
- Provider boundaries remain internal to Thalos DAL.
- DAL interfaces expose only transport-neutral contracts and read ports.
- Identity abstractions remain Thalos-owned.
- Runtime provider routes currently support:
- `InternalJwt`
- `AzureAd`
- `Google`

6
src/Thalos.DAL/Contracts/IdentityPermissionRecord.cs
View File

@ -1,3 +1,5 @@
using BuildingBlock.Identity.Contracts.Conventions;
namespace Thalos.DAL.Contracts;
/// <summary>
@ -6,7 +8,9 @@ namespace Thalos.DAL.Contracts;
/// <param name="Envelope">Contract envelope metadata.</param>
/// <param name="PermissionCode">Permission code identifier.</param>
/// <param name="SourceRoleCode">Role code that grants the permission.</param>
/// <param name="Provider">Auth provider for the permission grant.</param>
public sealed record IdentityPermissionRecord(
IdentityContractEnvelope Envelope,
string PermissionCode,
string SourceRoleCode);
string SourceRoleCode,
IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);

6
src/Thalos.DAL/Contracts/IdentityPermissionSetLookupRequest.cs
View File

@ -1,3 +1,5 @@
using BuildingBlock.Identity.Contracts.Conventions;
namespace Thalos.DAL.Contracts;
/// <summary>
@ -6,7 +8,9 @@ namespace Thalos.DAL.Contracts;
/// <param name="Envelope">Contract envelope metadata.</param>
/// <param name="SubjectId">Identity subject identifier.</param>
/// <param name="TenantId">Tenant scope identifier.</param>
/// <param name="Provider">Auth provider for the lookup flow.</param>
public sealed record IdentityPermissionSetLookupRequest(
IdentityContractEnvelope Envelope,
string SubjectId,
string TenantId);
string TenantId,
IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);

6
src/Thalos.DAL/Contracts/IdentityPolicyLookupRequest.cs
View File

@ -1,3 +1,5 @@
using BuildingBlock.Identity.Contracts.Conventions;
namespace Thalos.DAL.Contracts;
/// <summary>
@ -7,8 +9,10 @@ namespace Thalos.DAL.Contracts;
/// <param name="SubjectId">Identity subject identifier.</param>
/// <param name="TenantId">Tenant scope identifier.</param>
/// <param name="PermissionCode">Permission code to evaluate.</param>
/// <param name="Provider">Auth provider for the lookup flow.</param>
public sealed record IdentityPolicyLookupRequest(
IdentityContractEnvelope Envelope,
string SubjectId,
string TenantId,
string PermissionCode);
string PermissionCode,
IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);

6
src/Thalos.DAL/Contracts/IdentityPolicyRecord.cs
View File

@ -1,3 +1,5 @@
using BuildingBlock.Identity.Contracts.Conventions;
namespace Thalos.DAL.Contracts;
/// <summary>
@ -7,8 +9,10 @@ namespace Thalos.DAL.Contracts;
/// <param name="SubjectId">Identity subject identifier.</param>
/// <param name="PermissionCode">Permission code evaluated.</param>
/// <param name="ContextSatisfied">Indicates whether policy context is satisfied.</param>
/// <param name="Provider">Auth provider used for policy evaluation.</param>
public sealed record IdentityPolicyRecord(
IdentityContractEnvelope Envelope,
string SubjectId,
string PermissionCode,
bool ContextSatisfied);
bool ContextSatisfied,
IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);

11
src/Thalos.DAL/Contracts/IdentityTokenLookupRequest.cs
View File

@ -1,3 +1,5 @@
using BuildingBlock.Identity.Contracts.Conventions;
namespace Thalos.DAL.Contracts;
/// <summary>
@ -6,4 +8,11 @@ namespace Thalos.DAL.Contracts;
/// <param name="Envelope">Contract envelope metadata.</param>
/// <param name="SubjectId">Identity subject identifier.</param>
/// <param name="TenantId">Tenant scope identifier.</param>
public sealed record IdentityTokenLookupRequest(IdentityContractEnvelope Envelope, string SubjectId, string TenantId);
/// <param name="Provider">Auth provider for the lookup flow.</param>
/// <param name="ExternalToken">External provider token when applicable.</param>
public sealed record IdentityTokenLookupRequest(
IdentityContractEnvelope Envelope,
string SubjectId,
string TenantId,
IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt,
string ExternalToken = "");

6
src/Thalos.DAL/Contracts/IdentityTokenRecord.cs
View File

@ -1,3 +1,5 @@
using BuildingBlock.Identity.Contracts.Conventions;
namespace Thalos.DAL.Contracts;
/// <summary>
@ -8,9 +10,11 @@ namespace Thalos.DAL.Contracts;
/// <param name="TenantId">Tenant scope identifier.</param>
/// <param name="Token">Issued access token value.</param>
/// <param name="ExpiresInSeconds">Token expiration in seconds.</param>
/// <param name="Provider">Auth provider used for token issuance.</param>
public sealed record IdentityTokenRecord(
IdentityContractEnvelope Envelope,
string SubjectId,
string TenantId,
string Token,
int ExpiresInSeconds);
int ExpiresInSeconds,
IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);

11
src/Thalos.DAL/Contracts/IdentityUserLookupRequest.cs
View File

@ -1,3 +1,5 @@
using BuildingBlock.Identity.Contracts.Conventions;
namespace Thalos.DAL.Contracts;
/// <summary>
@ -6,4 +8,11 @@ namespace Thalos.DAL.Contracts;
/// <param name="Envelope">Contract envelope metadata.</param>
/// <param name="SubjectId">Identity subject identifier.</param>
/// <param name="TenantId">Tenant identifier.</param>
public sealed record IdentityUserLookupRequest(IdentityContractEnvelope Envelope, string SubjectId, string TenantId);
/// <param name="Provider">Auth provider for the lookup flow.</param>
/// <param name="ExternalToken">External provider token when applicable.</param>
public sealed record IdentityUserLookupRequest(
IdentityContractEnvelope Envelope,
string SubjectId,
string TenantId,
IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt,
string ExternalToken = "");

12
src/Thalos.DAL/DependencyInjection/ThalosDalServiceCollectionExtensions.cs
View File

@ -23,9 +23,17 @@ public static class ThalosDalServiceCollectionExtensions
{
services.AddBlueprintRuntimeCore();
services.TryAddSingleton<IUserDataProvider, InMemoryUserDataProvider>();
services.TryAddSingleton<InternalJwtUserDataProvider>();
services.TryAddSingleton<AzureAdUserDataProvider>();
services.TryAddSingleton<GoogleUserDataProvider>();
services.TryAddSingleton<IUserDataProvider, RoutedUserDataProvider>();
services.TryAddSingleton<InternalJwtPermissionDataProvider>();
services.TryAddSingleton<AzureAdPermissionDataProvider>();
services.TryAddSingleton<GooglePermissionDataProvider>();
services.TryAddSingleton<IPermissionDataProvider, RoutedPermissionDataProvider>();
services.TryAddSingleton<IRoleDataProvider, InMemoryRoleDataProvider>();
services.TryAddSingleton<IPermissionDataProvider, InMemoryPermissionDataProvider>();
services.TryAddSingleton<IModuleDataProvider, InMemoryModuleDataProvider>();
services.TryAddSingleton<ITenantDataProvider, InMemoryTenantDataProvider>();

89
src/Thalos.DAL/Providers/ProviderPermissionDataProviders.cs Normal file
View File

@ -0,0 +1,89 @@
using BuildingBlock.Identity.Contracts.Conventions;
using Thalos.DAL.Contracts;
namespace Thalos.DAL.Providers;
/// <summary>
/// Internal JWT permission provider implementation.
/// </summary>
public sealed class InternalJwtPermissionDataProvider : IPermissionDataProvider
{
/// <inheritdoc />
public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
IdentityPermissionSetLookupRequest request,
CancellationToken cancellationToken = default)
{
IReadOnlyList<IdentityPermissionRecord> records =
[
new IdentityPermissionRecord(request.Envelope, "identity.token.issue", "identity.admin", IdentityAuthProvider.InternalJwt),
new IdentityPermissionRecord(request.Envelope, "identity.policy.evaluate", "identity.admin", IdentityAuthProvider.InternalJwt)
];
return Task.FromResult(records);
}
}
/// <summary>
/// Azure AD permission provider implementation.
/// </summary>
public sealed class AzureAdPermissionDataProvider : IPermissionDataProvider
{
/// <inheritdoc />
public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
IdentityPermissionSetLookupRequest request,
CancellationToken cancellationToken = default)
{
IReadOnlyList<IdentityPermissionRecord> records =
[
new IdentityPermissionRecord(request.Envelope, "identity.token.issue", "identity.azure.user", IdentityAuthProvider.AzureAd),
new IdentityPermissionRecord(request.Envelope, "identity.policy.evaluate", "identity.azure.user", IdentityAuthProvider.AzureAd),
new IdentityPermissionRecord(request.Envelope, "identity.oauth.exchange", "identity.azure.user", IdentityAuthProvider.AzureAd)
];
return Task.FromResult(records);
}
}
/// <summary>
/// Google permission provider implementation.
/// </summary>
public sealed class GooglePermissionDataProvider : IPermissionDataProvider
{
/// <inheritdoc />
public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
IdentityPermissionSetLookupRequest request,
CancellationToken cancellationToken = default)
{
IReadOnlyList<IdentityPermissionRecord> records =
[
new IdentityPermissionRecord(request.Envelope, "identity.token.issue", "identity.google.user", IdentityAuthProvider.Google),
new IdentityPermissionRecord(request.Envelope, "identity.policy.evaluate", "identity.google.user", IdentityAuthProvider.Google),
new IdentityPermissionRecord(request.Envelope, "identity.oauth.exchange", "identity.google.user", IdentityAuthProvider.Google)
];
return Task.FromResult(records);
}
}
/// <summary>
/// Routes permission lookups to the matching provider implementation.
/// </summary>
public sealed class RoutedPermissionDataProvider(
InternalJwtPermissionDataProvider internalJwtProvider,
AzureAdPermissionDataProvider azureProvider,
GooglePermissionDataProvider googleProvider) : IPermissionDataProvider
{
/// <inheritdoc />
public Task<IReadOnlyList<IdentityPermissionRecord>> ReadPermissionsAsync(
IdentityPermissionSetLookupRequest request,
CancellationToken cancellationToken = default)
{
return request.Provider switch
{
IdentityAuthProvider.InternalJwt => internalJwtProvider.ReadPermissionsAsync(request, cancellationToken),
IdentityAuthProvider.AzureAd => azureProvider.ReadPermissionsAsync(request, cancellationToken),
IdentityAuthProvider.Google => googleProvider.ReadPermissionsAsync(request, cancellationToken),
_ => Task.FromResult<IReadOnlyList<IdentityPermissionRecord>>([])
};
}
}

143
src/Thalos.DAL/Providers/ProviderUserDataProviders.cs Normal file
View File

@ -0,0 +1,143 @@
using BuildingBlock.Identity.Contracts.Conventions;
using Thalos.DAL.Contracts;
namespace Thalos.DAL.Providers;
/// <summary>
/// Internal JWT provider implementation for identity user reads.
/// </summary>
public sealed class InternalJwtUserDataProvider : IUserDataProvider
{
/// <inheritdoc />
public Task<IdentityUserRecord?> ReadUserAsync(
IdentityUserLookupRequest request,
CancellationToken cancellationToken = default)
{
if (request.SubjectId.StartsWith("missing-", StringComparison.OrdinalIgnoreCase))
{
return Task.FromResult<IdentityUserRecord?>(null);
}
var record = new IdentityUserRecord(
request.Envelope,
request.SubjectId,
request.TenantId,
"active",
$"{request.SubjectId}:{request.TenantId}:token",
1800,
true);
return Task.FromResult<IdentityUserRecord?>(record);
}
}
/// <summary>
/// Azure AD provider implementation for identity user reads.
/// </summary>
public sealed class AzureAdUserDataProvider : IUserDataProvider
{
/// <inheritdoc />
public Task<IdentityUserRecord?> ReadUserAsync(
IdentityUserLookupRequest request,
CancellationToken cancellationToken = default)
{
var subjectId = ResolveSubjectId(request, "azure-sub");
if (string.IsNullOrWhiteSpace(subjectId))
{
return Task.FromResult<IdentityUserRecord?>(null);
}
var record = new IdentityUserRecord(
request.Envelope,
subjectId,
request.TenantId,
"active",
$"azure:{subjectId}:{request.TenantId}:token",
3600,
true);
return Task.FromResult<IdentityUserRecord?>(record);
}
private static string ResolveSubjectId(IdentityUserLookupRequest request, string prefix)
{
if (!string.IsNullOrWhiteSpace(request.SubjectId))
{
return request.SubjectId;
}
if (string.IsNullOrWhiteSpace(request.ExternalToken))
{
return string.Empty;
}
return $"{prefix}-{Math.Abs(request.ExternalToken.GetHashCode(StringComparison.Ordinal))}";
}
}
/// <summary>
/// Google provider implementation for identity user reads.
/// </summary>
public sealed class GoogleUserDataProvider : IUserDataProvider
{
/// <inheritdoc />
public Task<IdentityUserRecord?> ReadUserAsync(
IdentityUserLookupRequest request,
CancellationToken cancellationToken = default)
{
var subjectId = ResolveSubjectId(request, "google-sub");
if (string.IsNullOrWhiteSpace(subjectId))
{
return Task.FromResult<IdentityUserRecord?>(null);
}
var record = new IdentityUserRecord(
request.Envelope,
subjectId,
request.TenantId,
"active",
$"google:{subjectId}:{request.TenantId}:token",
3000,
true);
return Task.FromResult<IdentityUserRecord?>(record);
}
private static string ResolveSubjectId(IdentityUserLookupRequest request, string prefix)
{
if (!string.IsNullOrWhiteSpace(request.SubjectId))
{
return request.SubjectId;
}
if (string.IsNullOrWhiteSpace(request.ExternalToken))
{
return string.Empty;
}
return $"{prefix}-{Math.Abs(request.ExternalToken.GetHashCode(StringComparison.Ordinal))}";
}
}
/// <summary>
/// Routes user lookups to the matching provider implementation.
/// </summary>
public sealed class RoutedUserDataProvider(
InternalJwtUserDataProvider internalJwtProvider,
AzureAdUserDataProvider azureProvider,
GoogleUserDataProvider googleProvider) : IUserDataProvider
{
/// <inheritdoc />
public Task<IdentityUserRecord?> ReadUserAsync(
IdentityUserLookupRequest request,
CancellationToken cancellationToken = default)
{
return request.Provider switch
{
IdentityAuthProvider.InternalJwt => internalJwtProvider.ReadUserAsync(request, cancellationToken),
IdentityAuthProvider.AzureAd => azureProvider.ReadUserAsync(request, cancellationToken),
IdentityAuthProvider.Google => googleProvider.ReadUserAsync(request, cancellationToken),
_ => Task.FromResult<IdentityUserRecord?>(null)
};
}
}

23
src/Thalos.DAL/Repositories/IdentityRepository.cs
View File

@ -15,7 +15,12 @@ public sealed class IdentityRepository(
IdentityTokenLookupRequest request,
CancellationToken cancellationToken = default)
{
var userRequest = new IdentityUserLookupRequest(request.Envelope, request.SubjectId, request.TenantId);
var userRequest = new IdentityUserLookupRequest(
request.Envelope,
request.SubjectId,
request.TenantId,
request.Provider,
request.ExternalToken);
var userRecord = await userDataProvider.ReadUserAsync(userRequest, cancellationToken);
if (userRecord is null)
{
@ -24,10 +29,11 @@ public sealed class IdentityRepository(
return new IdentityTokenRecord(
request.Envelope,
request.SubjectId,
userRecord.SubjectId,
request.TenantId,
userRecord.Token,
userRecord.ExpiresInSeconds);
userRecord.ExpiresInSeconds,
request.Provider);
}
/// <inheritdoc />
@ -35,7 +41,11 @@ public sealed class IdentityRepository(
IdentityPolicyLookupRequest request,
CancellationToken cancellationToken = default)
{
var userRequest = new IdentityUserLookupRequest(request.Envelope, request.SubjectId, request.TenantId);
var userRequest = new IdentityUserLookupRequest(
request.Envelope,
request.SubjectId,
request.TenantId,
request.Provider);
var userRecord = await userDataProvider.ReadUserAsync(userRequest, cancellationToken);
if (userRecord is null)
{
@ -44,9 +54,10 @@ public sealed class IdentityRepository(
return new IdentityPolicyRecord(
request.Envelope,
request.SubjectId,
userRecord.SubjectId,
request.PermissionCode,
userRecord.ContextSatisfied);
userRecord.ContextSatisfied,
request.Provider);
}
/// <inheritdoc />

1
src/Thalos.DAL/Thalos.DAL.csproj
View File

@ -6,6 +6,7 @@
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0" />
<ProjectReference Include="..\..\..\building-block-identity\src\BuildingBlock.Identity.Contracts\BuildingBlock.Identity.Contracts.csproj" />
<ProjectReference Include="..\..\..\blueprint-platform\src\Core.Blueprint.Common\Core.Blueprint.Common.csproj" />
</ItemGroup>
</Project>

2
tests/Thalos.DAL.UnitTests/ContractShapeTests.cs
View File

@ -16,6 +16,7 @@ public class ContractShapeTests
Assert.Equal("user-1", request.SubjectId);
Assert.Equal("tenant-1", request.TenantId);
Assert.Equal("identity.token.issue", request.PermissionCode);
Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.InternalJwt, request.Provider);
}
[Fact]
@ -30,6 +31,7 @@ public class ContractShapeTests
Assert.Equal("tenant-1", record.TenantId);
Assert.Equal("token-xyz", record.Token);
Assert.Equal(1800, record.ExpiresInSeconds);
Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.InternalJwt, record.Provider);
}
[Fact]

23
tests/Thalos.DAL.UnitTests/RuntimeWiringTests.cs
View File

@ -28,6 +28,29 @@ public class RuntimeWiringTests
Assert.Equal("user-1", response.SubjectId);
Assert.Equal("tenant-1", response.TenantId);
Assert.Equal(1800, response.ExpiresInSeconds);
Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.InternalJwt, response.Provider);
}
[Fact]
public async Task AddThalosDalRuntime_WhenExternalProviderUsed_ResolvesProviderSpecificToken()
{
var services = new ServiceCollection();
services.AddThalosDalRuntime();
using var provider = services.BuildServiceProvider();
var repository = provider.GetRequiredService<IIdentityRepository>();
var request = new IdentityTokenLookupRequest(
new IdentityContractEnvelope("1.0.0", "corr-ext"),
string.Empty,
"tenant-2",
BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.AzureAd,
"external-azure-token");
var response = await repository.ReadIdentityTokenAsync(request);
Assert.NotNull(response);
Assert.Equal(BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.AzureAd, response.Provider);
Assert.StartsWith("azure:", response.Token);
}
[Fact]