merge(thalos-service): integrate thalos-service-orchestration-normalization
This commit is contained in:
José René White Enciso
commit
d0730e1438
14
docs/architecture/service-orchestration-boundary.md
Normal file
14
docs/architecture/service-orchestration-boundary.md
Normal file
@ -0,0 +1,14 @@
|
||||
# Thalos Service Orchestration Boundary
|
||||
|
||||
## Purpose
|
||||
Constrain thalos-service to orchestration responsibilities after thalos-domain extraction.
|
||||
|
||||
## Service Responsibilities
|
||||
- Coordinate identity use-case flow
|
||||
- Delegate policy/token decisions to thalos-domain abstractions
|
||||
- Adapt transport contracts
|
||||
- Route provider metadata (`InternalJwt`, `AzureAd`, `Google`) between edge/service/dal boundaries
|
||||
|
||||
## Prohibited Responsibilities
|
||||
- Owning identity decision policies
|
||||
- Owning persistence decision concerns
|
||||
10
docs/migration/domain-delegation-plan.md
Normal file
10
docs/migration/domain-delegation-plan.md
Normal file
@ -0,0 +1,10 @@
|
||||
# Thalos Domain Delegation Plan
|
||||
|
||||
## Delegation Model
|
||||
- Use cases invoke thalos-domain abstractions for policy and token decisions.
|
||||
- Service adapters retain technical contract mapping only.
|
||||
|
||||
## Transition Steps
|
||||
1. Replace in-service decision branches with domain calls.
|
||||
2. Keep service contract shapes stable.
|
||||
3. Validate orchestration-only responsibilities.
|
||||
10
docs/migration/identity-service-regression-checks.md
Normal file
10
docs/migration/identity-service-regression-checks.md
Normal file
@ -0,0 +1,10 @@
|
||||
# Identity Service Regression Checks
|
||||
|
||||
## Checks
|
||||
- Service no longer contains policy/token decision branches.
|
||||
- Service still orchestrates required dependencies.
|
||||
- Transport contract outputs remain stable.
|
||||
|
||||
## Evidence
|
||||
- Updated architecture docs
|
||||
- Delegation map confirmation
|
||||
@ -1,26 +0,0 @@
|
||||
using Thalos.Service.Identity.Abstractions.Contracts;
|
||||
|
||||
namespace Thalos.Service.Application.Adapters;
|
||||
|
||||
/// <summary>
|
||||
/// Defines adapter boundary for integrating identity contracts into policy use cases.
|
||||
/// </summary>
|
||||
public interface IIdentityCapabilityContractAdapter
|
||||
{
|
||||
/// <summary>
|
||||
/// Creates a transport-neutral context request for policy evaluation.
|
||||
/// </summary>
|
||||
/// <param name="identityRequest">Identity policy request.</param>
|
||||
/// <returns>Identity policy context request.</returns>
|
||||
IdentityPolicyContextRequest CreatePolicyContext(EvaluateIdentityPolicyRequest identityRequest);
|
||||
|
||||
/// <summary>
|
||||
/// Maps policy context response into identity policy response.
|
||||
/// </summary>
|
||||
/// <param name="identityRequest">Identity policy request.</param>
|
||||
/// <param name="contextResponse">Identity policy context response.</param>
|
||||
/// <returns>Identity policy response.</returns>
|
||||
EvaluateIdentityPolicyResponse MapPolicyResponse(
|
||||
EvaluateIdentityPolicyRequest identityRequest,
|
||||
IdentityPolicyContextResponse contextResponse);
|
||||
}
|
||||
@ -1,5 +1,5 @@
|
||||
using Thalos.Service.Application.Grpc;
|
||||
using Thalos.Service.Identity.Abstractions.Contracts;
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
|
||||
namespace Thalos.Service.Application.Adapters;
|
||||
|
||||
|
||||
@ -0,0 +1,35 @@
|
||||
using Thalos.Service.Application.Grpc;
|
||||
using BuildingBlock.Identity.Contracts.Conventions;
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
|
||||
namespace Thalos.Service.Application.Adapters;
|
||||
|
||||
/// <summary>
|
||||
/// Default adapter implementation for identity policy gRPC contract translation.
|
||||
/// </summary>
|
||||
public sealed class IdentityPolicyGrpcContractAdapter : IIdentityPolicyGrpcContractAdapter
|
||||
{
|
||||
/// <inheritdoc />
|
||||
public EvaluateIdentityPolicyGrpcContract ToGrpc(EvaluateIdentityPolicyRequest request)
|
||||
{
|
||||
return new EvaluateIdentityPolicyGrpcContract(
|
||||
request.SubjectId,
|
||||
request.TenantId,
|
||||
request.PermissionCode,
|
||||
request.Provider.ToString());
|
||||
}
|
||||
|
||||
/// <inheritdoc />
|
||||
public EvaluateIdentityPolicyRequest FromGrpc(EvaluateIdentityPolicyGrpcContract contract)
|
||||
{
|
||||
var provider = Enum.TryParse<IdentityAuthProvider>(contract.Provider, true, out var parsedProvider)
|
||||
? parsedProvider
|
||||
: IdentityAuthProvider.InternalJwt;
|
||||
|
||||
return new EvaluateIdentityPolicyRequest(
|
||||
contract.SubjectId,
|
||||
contract.TenantId,
|
||||
contract.PermissionCode,
|
||||
provider);
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,39 @@
|
||||
using Core.Blueprint.Common.DependencyInjection;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
using Microsoft.Extensions.DependencyInjection.Extensions;
|
||||
using Thalos.Domain.Decisions;
|
||||
using Thalos.DAL.DependencyInjection;
|
||||
using Thalos.Service.Application.Adapters;
|
||||
using Thalos.Service.Application.Ports;
|
||||
using Thalos.Service.Application.UseCases;
|
||||
|
||||
namespace Thalos.Service.Application.DependencyInjection;
|
||||
|
||||
/// <summary>
|
||||
/// Registers thalos-service runtime orchestration and DAL adapters.
|
||||
/// </summary>
|
||||
public static class ThalosServiceRuntimeServiceCollectionExtensions
|
||||
{
|
||||
/// <summary>
|
||||
/// Adds thalos-service runtime wiring aligned with blueprint runtime and thalos-dal runtime.
|
||||
/// </summary>
|
||||
/// <param name="services">Service collection.</param>
|
||||
/// <returns>Service collection for fluent chaining.</returns>
|
||||
public static IServiceCollection AddThalosServiceRuntime(this IServiceCollection services)
|
||||
{
|
||||
services.AddBlueprintRuntimeCore();
|
||||
services.AddThalosDalRuntime();
|
||||
services.TryAddSingleton<IIdentityPolicyDecisionService, IdentityPolicyDecisionService>();
|
||||
services.TryAddSingleton<IIdentityTokenDecisionService, IdentityTokenDecisionService>();
|
||||
|
||||
services.TryAddSingleton<IIdentityPolicyGrpcContractAdapter, IdentityPolicyGrpcContractAdapter>();
|
||||
|
||||
services.TryAddSingleton<IIdentityTokenReadPort, IdentityTokenReadPortDalAdapter>();
|
||||
services.TryAddSingleton<IIdentityPolicyContextReadPort, IdentityPolicyContextReadPortDalAdapter>();
|
||||
|
||||
services.TryAddSingleton<IIssueIdentityTokenUseCase, IssueIdentityTokenUseCase>();
|
||||
services.TryAddSingleton<IEvaluateIdentityPolicyUseCase, EvaluateIdentityPolicyUseCase>();
|
||||
|
||||
return services;
|
||||
}
|
||||
}
|
||||
@ -6,4 +6,9 @@ namespace Thalos.Service.Application.Grpc;
|
||||
/// <param name="SubjectId">Identity subject identifier.</param>
|
||||
/// <param name="TenantId">Tenant scope identifier.</param>
|
||||
/// <param name="PermissionCode">Permission code to evaluate.</param>
|
||||
public sealed record EvaluateIdentityPolicyGrpcContract(string SubjectId, string TenantId, string PermissionCode);
|
||||
/// <param name="Provider">Auth provider.</param>
|
||||
public sealed record EvaluateIdentityPolicyGrpcContract(
|
||||
string SubjectId,
|
||||
string TenantId,
|
||||
string PermissionCode,
|
||||
string Provider = "InternalJwt");
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
using Thalos.Service.Identity.Abstractions.Contracts;
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
using Thalos.Domain.Contracts;
|
||||
|
||||
namespace Thalos.Service.Application.Ports;
|
||||
|
||||
@ -12,5 +13,5 @@ public interface IIdentityPolicyContextReadPort
|
||||
/// </summary>
|
||||
/// <param name="request">Identity policy context request.</param>
|
||||
/// <returns>Identity policy context response.</returns>
|
||||
Task<IdentityPolicyContextResponse> ReadPolicyContextAsync(IdentityPolicyContextRequest request);
|
||||
Task<IdentityPolicyContextData> ReadPolicyContextAsync(IdentityPolicyContextRequest request);
|
||||
}
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
using Thalos.Service.Identity.Abstractions.Contracts;
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
using Thalos.Domain.Contracts;
|
||||
|
||||
namespace Thalos.Service.Application.Ports;
|
||||
|
||||
@ -12,5 +13,5 @@ public interface IIdentityTokenReadPort
|
||||
/// </summary>
|
||||
/// <param name="request">Token request contract.</param>
|
||||
/// <returns>Token response contract.</returns>
|
||||
Task<IssueIdentityTokenResponse> IssueTokenAsync(IssueIdentityTokenRequest request);
|
||||
Task<IdentityTokenData> ReadTokenAsync(IssueIdentityTokenRequest request);
|
||||
}
|
||||
|
||||
@ -0,0 +1,60 @@
|
||||
using Core.Blueprint.Common.Runtime;
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
using Thalos.DAL.Contracts;
|
||||
using Thalos.DAL.Repositories;
|
||||
using Thalos.Domain.Contracts;
|
||||
|
||||
namespace Thalos.Service.Application.Ports;
|
||||
|
||||
/// <summary>
|
||||
/// Default DAL adapter for identity policy context read port.
|
||||
/// </summary>
|
||||
public sealed class IdentityPolicyContextReadPortDalAdapter(
|
||||
IIdentityRepository identityRepository,
|
||||
IBlueprintSystemClock clock) : IIdentityPolicyContextReadPort
|
||||
{
|
||||
/// <inheritdoc />
|
||||
public async Task<IdentityPolicyContextData> ReadPolicyContextAsync(IdentityPolicyContextRequest request)
|
||||
{
|
||||
var policyLookupRequest = new IdentityPolicyLookupRequest(
|
||||
CreateEnvelope(),
|
||||
request.SubjectId,
|
||||
request.TenantId,
|
||||
request.PermissionCode,
|
||||
request.Provider);
|
||||
|
||||
var policyRecord = await identityRepository.ReadIdentityPolicyAsync(policyLookupRequest);
|
||||
if (policyRecord is null)
|
||||
{
|
||||
return new IdentityPolicyContextData(
|
||||
request.SubjectId,
|
||||
request.PermissionCode,
|
||||
request.Provider,
|
||||
false,
|
||||
[]);
|
||||
}
|
||||
|
||||
var permissionSetRequest = new IdentityPermissionSetLookupRequest(
|
||||
policyLookupRequest.Envelope,
|
||||
request.SubjectId,
|
||||
request.TenantId,
|
||||
request.Provider);
|
||||
|
||||
var permissions = await identityRepository.ReadPermissionSetAsync(permissionSetRequest);
|
||||
var grantedPermissions = permissions
|
||||
.Select(permission => permission.PermissionCode)
|
||||
.ToArray();
|
||||
|
||||
return new IdentityPolicyContextData(
|
||||
request.SubjectId,
|
||||
request.PermissionCode,
|
||||
policyRecord.Provider,
|
||||
policyRecord.ContextSatisfied,
|
||||
grantedPermissions);
|
||||
}
|
||||
|
||||
private IdentityContractEnvelope CreateEnvelope()
|
||||
{
|
||||
return new IdentityContractEnvelope("1.0.0", $"corr-{clock.UtcNow:yyyyMMddHHmmssfff}");
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,39 @@
|
||||
using Core.Blueprint.Common.Runtime;
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
using Thalos.DAL.Contracts;
|
||||
using Thalos.DAL.Repositories;
|
||||
using Thalos.Domain.Contracts;
|
||||
|
||||
namespace Thalos.Service.Application.Ports;
|
||||
|
||||
/// <summary>
|
||||
/// Default DAL adapter for identity token read port.
|
||||
/// </summary>
|
||||
public sealed class IdentityTokenReadPortDalAdapter(
|
||||
IIdentityRepository identityRepository,
|
||||
IBlueprintSystemClock clock) : IIdentityTokenReadPort
|
||||
{
|
||||
/// <inheritdoc />
|
||||
public async Task<IdentityTokenData> ReadTokenAsync(IssueIdentityTokenRequest request)
|
||||
{
|
||||
var lookupRequest = new IdentityTokenLookupRequest(
|
||||
CreateEnvelope(),
|
||||
request.SubjectId,
|
||||
request.TenantId,
|
||||
request.Provider,
|
||||
request.ExternalToken);
|
||||
|
||||
var tokenRecord = await identityRepository.ReadIdentityTokenAsync(lookupRequest);
|
||||
if (tokenRecord is null)
|
||||
{
|
||||
return new IdentityTokenData(null, null, request.Provider);
|
||||
}
|
||||
|
||||
return new IdentityTokenData(tokenRecord.Token, tokenRecord.ExpiresInSeconds, tokenRecord.Provider);
|
||||
}
|
||||
|
||||
private IdentityContractEnvelope CreateEnvelope()
|
||||
{
|
||||
return new IdentityContractEnvelope("1.0.0", $"corr-{clock.UtcNow:yyyyMMddHHmmssfff}");
|
||||
}
|
||||
}
|
||||
@ -5,6 +5,9 @@
|
||||
<Nullable>enable</Nullable>
|
||||
</PropertyGroup>
|
||||
<ItemGroup>
|
||||
<ProjectReference Include="..\Thalos.Service.Identity.Abstractions\Thalos.Service.Identity.Abstractions.csproj" />
|
||||
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0" />
|
||||
<ProjectReference Include="..\..\..\building-block-identity\src\BuildingBlock.Identity.Contracts\BuildingBlock.Identity.Contracts.csproj" />
|
||||
<ProjectReference Include="..\..\..\thalos-domain\src\Thalos.Domain\Thalos.Domain.csproj" />
|
||||
<ProjectReference Include="..\..\..\thalos-dal\src\Thalos.DAL\Thalos.DAL.csproj" />
|
||||
</ItemGroup>
|
||||
</Project>
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
using Thalos.Service.Application.Adapters;
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
using BuildingBlock.Identity.Contracts.Responses;
|
||||
using Thalos.Service.Application.Ports;
|
||||
using Thalos.Service.Identity.Abstractions.Contracts;
|
||||
using Thalos.Domain.Decisions;
|
||||
|
||||
namespace Thalos.Service.Application.UseCases;
|
||||
|
||||
@ -8,16 +9,16 @@ namespace Thalos.Service.Application.UseCases;
|
||||
/// Default orchestration implementation for identity policy evaluation.
|
||||
/// </summary>
|
||||
public sealed class EvaluateIdentityPolicyUseCase(
|
||||
IIdentityCapabilityContractAdapter contractAdapter,
|
||||
IIdentityPolicyDecisionService decisionService,
|
||||
IIdentityPolicyContextReadPort policyContextReadPort)
|
||||
: IEvaluateIdentityPolicyUseCase
|
||||
{
|
||||
/// <inheritdoc />
|
||||
public async Task<EvaluateIdentityPolicyResponse> HandleAsync(EvaluateIdentityPolicyRequest request)
|
||||
{
|
||||
var policyContextRequest = contractAdapter.CreatePolicyContext(request);
|
||||
var policyContextResponse = await policyContextReadPort.ReadPolicyContextAsync(policyContextRequest);
|
||||
var policyContextRequest = decisionService.BuildPolicyContextRequest(request);
|
||||
var policyContextData = await policyContextReadPort.ReadPolicyContextAsync(policyContextRequest);
|
||||
|
||||
return contractAdapter.MapPolicyResponse(request, policyContextResponse);
|
||||
return decisionService.Evaluate(request, policyContextData);
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
using Thalos.Service.Identity.Abstractions.Contracts;
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
using BuildingBlock.Identity.Contracts.Responses;
|
||||
|
||||
namespace Thalos.Service.Application.UseCases;
|
||||
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
using Thalos.Service.Identity.Abstractions.Contracts;
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
using BuildingBlock.Identity.Contracts.Responses;
|
||||
|
||||
namespace Thalos.Service.Application.UseCases;
|
||||
|
||||
|
||||
@ -1,17 +1,22 @@
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
using BuildingBlock.Identity.Contracts.Responses;
|
||||
using Thalos.Service.Application.Ports;
|
||||
using Thalos.Service.Identity.Abstractions.Contracts;
|
||||
using Thalos.Domain.Decisions;
|
||||
|
||||
namespace Thalos.Service.Application.UseCases;
|
||||
|
||||
/// <summary>
|
||||
/// Default orchestration implementation for identity token issuance.
|
||||
/// </summary>
|
||||
public sealed class IssueIdentityTokenUseCase(IIdentityTokenReadPort readPort)
|
||||
public sealed class IssueIdentityTokenUseCase(
|
||||
IIdentityTokenReadPort readPort,
|
||||
IIdentityTokenDecisionService decisionService)
|
||||
: IIssueIdentityTokenUseCase
|
||||
{
|
||||
/// <inheritdoc />
|
||||
public Task<IssueIdentityTokenResponse> HandleAsync(IssueIdentityTokenRequest request)
|
||||
public async Task<IssueIdentityTokenResponse> HandleAsync(IssueIdentityTokenRequest request)
|
||||
{
|
||||
return readPort.IssueTokenAsync(request);
|
||||
var tokenData = await readPort.ReadTokenAsync(request);
|
||||
return decisionService.BuildIssuedTokenResponse(tokenData);
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,6 +1,15 @@
|
||||
using Thalos.Service.Application.DependencyInjection;
|
||||
using Thalos.Service.Grpc.Services;
|
||||
|
||||
var builder = WebApplication.CreateBuilder(args);
|
||||
|
||||
// Stage 3 skeleton: single active internal protocol policy is gRPC-first.
|
||||
builder.Services.AddGrpc();
|
||||
builder.Services.AddHealthChecks();
|
||||
builder.Services.AddThalosServiceRuntime();
|
||||
|
||||
var app = builder.Build();
|
||||
|
||||
app.MapGrpcService<IdentityRuntimeGrpcService>();
|
||||
app.MapHealthChecks("/healthz");
|
||||
|
||||
app.Run();
|
||||
|
||||
35
src/Thalos.Service.Grpc/Protos/identity_runtime.proto
Normal file
35
src/Thalos.Service.Grpc/Protos/identity_runtime.proto
Normal file
@ -0,0 +1,35 @@
|
||||
syntax = "proto3";
|
||||
|
||||
option csharp_namespace = "Thalos.Service.Grpc";
|
||||
|
||||
package thalos.service.grpc;
|
||||
|
||||
service IdentityRuntime {
|
||||
rpc IssueIdentityToken (IssueIdentityTokenGrpcRequest) returns (IssueIdentityTokenGrpcResponse);
|
||||
rpc EvaluateIdentityPolicy (EvaluateIdentityPolicyGrpcRequest) returns (EvaluateIdentityPolicyGrpcResponse);
|
||||
}
|
||||
|
||||
message IssueIdentityTokenGrpcRequest {
|
||||
string subject_id = 1;
|
||||
string tenant_id = 2;
|
||||
string provider = 3;
|
||||
string external_token = 4;
|
||||
}
|
||||
|
||||
message IssueIdentityTokenGrpcResponse {
|
||||
string token = 1;
|
||||
int32 expires_in_seconds = 2;
|
||||
}
|
||||
|
||||
message EvaluateIdentityPolicyGrpcRequest {
|
||||
string subject_id = 1;
|
||||
string tenant_id = 2;
|
||||
string permission_code = 3;
|
||||
string provider = 4;
|
||||
}
|
||||
|
||||
message EvaluateIdentityPolicyGrpcResponse {
|
||||
string subject_id = 1;
|
||||
string permission_code = 2;
|
||||
bool is_allowed = 3;
|
||||
}
|
||||
@ -0,0 +1,75 @@
|
||||
using Grpc.Core;
|
||||
using BuildingBlock.Identity.Contracts.Conventions;
|
||||
using Thalos.Service.Application.Adapters;
|
||||
using Thalos.Service.Application.Grpc;
|
||||
using Thalos.Service.Application.UseCases;
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
|
||||
namespace Thalos.Service.Grpc.Services;
|
||||
|
||||
/// <summary>
|
||||
/// Internal gRPC endpoint implementation for identity runtime operations.
|
||||
/// </summary>
|
||||
public sealed class IdentityRuntimeGrpcService(
|
||||
IIssueIdentityTokenUseCase issueIdentityTokenUseCase,
|
||||
IEvaluateIdentityPolicyUseCase evaluateIdentityPolicyUseCase,
|
||||
IIdentityPolicyGrpcContractAdapter grpcContractAdapter) : IdentityRuntime.IdentityRuntimeBase
|
||||
{
|
||||
/// <summary>
|
||||
/// Issues identity token through service use-case orchestration.
|
||||
/// </summary>
|
||||
/// <param name="request">gRPC token issuance request.</param>
|
||||
/// <param name="context">gRPC server call context.</param>
|
||||
/// <returns>gRPC token issuance response.</returns>
|
||||
public override async Task<IssueIdentityTokenGrpcResponse> IssueIdentityToken(
|
||||
IssueIdentityTokenGrpcRequest request,
|
||||
ServerCallContext context)
|
||||
{
|
||||
var useCaseRequest = new IssueIdentityTokenRequest(
|
||||
request.SubjectId,
|
||||
request.TenantId,
|
||||
ParseProvider(request.Provider),
|
||||
request.ExternalToken);
|
||||
var useCaseResponse = await issueIdentityTokenUseCase.HandleAsync(useCaseRequest);
|
||||
|
||||
return new IssueIdentityTokenGrpcResponse
|
||||
{
|
||||
Token = useCaseResponse.Token,
|
||||
ExpiresInSeconds = useCaseResponse.ExpiresInSeconds
|
||||
};
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Evaluates identity policy through service use-case orchestration.
|
||||
/// </summary>
|
||||
/// <param name="request">gRPC policy evaluation request.</param>
|
||||
/// <param name="context">gRPC server call context.</param>
|
||||
/// <returns>gRPC policy evaluation response.</returns>
|
||||
public override async Task<EvaluateIdentityPolicyGrpcResponse> EvaluateIdentityPolicy(
|
||||
EvaluateIdentityPolicyGrpcRequest request,
|
||||
ServerCallContext context)
|
||||
{
|
||||
var grpcContract = new EvaluateIdentityPolicyGrpcContract(
|
||||
request.SubjectId,
|
||||
request.TenantId,
|
||||
request.PermissionCode,
|
||||
request.Provider);
|
||||
|
||||
var useCaseRequest = grpcContractAdapter.FromGrpc(grpcContract);
|
||||
var useCaseResponse = await evaluateIdentityPolicyUseCase.HandleAsync(useCaseRequest);
|
||||
|
||||
return new EvaluateIdentityPolicyGrpcResponse
|
||||
{
|
||||
SubjectId = useCaseResponse.SubjectId,
|
||||
PermissionCode = useCaseResponse.PermissionCode,
|
||||
IsAllowed = useCaseResponse.IsAllowed
|
||||
};
|
||||
}
|
||||
|
||||
private static IdentityAuthProvider ParseProvider(string provider)
|
||||
{
|
||||
return Enum.TryParse<IdentityAuthProvider>(provider, true, out var parsedProvider)
|
||||
? parsedProvider
|
||||
: IdentityAuthProvider.InternalJwt;
|
||||
}
|
||||
}
|
||||
@ -5,7 +5,14 @@
|
||||
<ImplicitUsings>enable</ImplicitUsings>
|
||||
</PropertyGroup>
|
||||
<ItemGroup>
|
||||
<PackageReference Include="Grpc.AspNetCore" Version="2.71.0" />
|
||||
<PackageReference Include="Grpc.Tools" Version="2.71.0">
|
||||
<PrivateAssets>all</PrivateAssets>
|
||||
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
|
||||
</PackageReference>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Protobuf Include="Protos\identity_runtime.proto" GrpcServices="Server" />
|
||||
<ProjectReference Include="..\Thalos.Service.Application\Thalos.Service.Application.csproj" />
|
||||
<ProjectReference Include="..\Thalos.Service.Identity.Abstractions\Thalos.Service.Identity.Abstractions.csproj" />
|
||||
</ItemGroup>
|
||||
</Project>
|
||||
|
||||
@ -1,7 +1,10 @@
|
||||
using Thalos.Service.Application.Adapters;
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
using BuildingBlock.Identity.Contracts.Responses;
|
||||
using BuildingBlock.Identity.Contracts.Conventions;
|
||||
using Thalos.Service.Application.Ports;
|
||||
using Thalos.Service.Application.UseCases;
|
||||
using Thalos.Service.Identity.Abstractions.Contracts;
|
||||
using Thalos.Domain.Contracts;
|
||||
using Thalos.Domain.Decisions;
|
||||
|
||||
namespace Thalos.Service.Application.UnitTests;
|
||||
|
||||
@ -11,7 +14,7 @@ public class EvaluateIdentityPolicyUseCaseTests
|
||||
public async Task HandleAsync_WhenCalled_UsesIdentityContractsAndReturnsMappedResponse()
|
||||
{
|
||||
var useCase = new EvaluateIdentityPolicyUseCase(
|
||||
new FakeIdentityCapabilityContractAdapter(),
|
||||
new FakeIdentityPolicyDecisionService(),
|
||||
new FakeIdentityPolicyContextReadPort());
|
||||
|
||||
var response = await useCase.HandleAsync(new EvaluateIdentityPolicyRequest("subject-1", "tenant-1", "perm.read"));
|
||||
@ -21,29 +24,38 @@ public class EvaluateIdentityPolicyUseCaseTests
|
||||
Assert.True(response.IsAllowed);
|
||||
}
|
||||
|
||||
private sealed class FakeIdentityCapabilityContractAdapter : IIdentityCapabilityContractAdapter
|
||||
private sealed class FakeIdentityPolicyDecisionService : IIdentityPolicyDecisionService
|
||||
{
|
||||
public IdentityPolicyContextRequest CreatePolicyContext(EvaluateIdentityPolicyRequest identityRequest)
|
||||
public IdentityPolicyContextRequest BuildPolicyContextRequest(EvaluateIdentityPolicyRequest request)
|
||||
{
|
||||
return new IdentityPolicyContextRequest(identityRequest.SubjectId, identityRequest.TenantId, identityRequest.PermissionCode);
|
||||
return new IdentityPolicyContextRequest(
|
||||
request.SubjectId,
|
||||
request.TenantId,
|
||||
request.PermissionCode,
|
||||
request.Provider);
|
||||
}
|
||||
|
||||
public EvaluateIdentityPolicyResponse MapPolicyResponse(
|
||||
EvaluateIdentityPolicyRequest identityRequest,
|
||||
IdentityPolicyContextResponse contextResponse)
|
||||
public EvaluateIdentityPolicyResponse Evaluate(
|
||||
EvaluateIdentityPolicyRequest request,
|
||||
IdentityPolicyContextData policyContextData)
|
||||
{
|
||||
return new EvaluateIdentityPolicyResponse(
|
||||
identityRequest.SubjectId,
|
||||
identityRequest.PermissionCode,
|
||||
contextResponse.ContextSatisfied);
|
||||
request.SubjectId,
|
||||
request.PermissionCode,
|
||||
policyContextData.ContextSatisfied);
|
||||
}
|
||||
}
|
||||
|
||||
private sealed class FakeIdentityPolicyContextReadPort : IIdentityPolicyContextReadPort
|
||||
{
|
||||
public Task<IdentityPolicyContextResponse> ReadPolicyContextAsync(IdentityPolicyContextRequest request)
|
||||
public Task<IdentityPolicyContextData> ReadPolicyContextAsync(IdentityPolicyContextRequest request)
|
||||
{
|
||||
return Task.FromResult(new IdentityPolicyContextResponse(request.SubjectId, request.PermissionCode, true));
|
||||
return Task.FromResult(new IdentityPolicyContextData(
|
||||
request.SubjectId,
|
||||
request.PermissionCode,
|
||||
IdentityAuthProvider.InternalJwt,
|
||||
true,
|
||||
[request.PermissionCode]));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,6 +1,9 @@
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
using BuildingBlock.Identity.Contracts.Conventions;
|
||||
using Thalos.Service.Application.Ports;
|
||||
using Thalos.Service.Application.UseCases;
|
||||
using Thalos.Service.Identity.Abstractions.Contracts;
|
||||
using Thalos.Domain.Contracts;
|
||||
using Thalos.Domain.Decisions;
|
||||
|
||||
namespace Thalos.Service.Application.UnitTests;
|
||||
|
||||
@ -9,8 +12,9 @@ public class IssueIdentityTokenUseCaseTests
|
||||
[Fact]
|
||||
public async Task HandleAsync_WhenCalled_DelegatesToReadPort()
|
||||
{
|
||||
var decisionService = new IdentityTokenDecisionService();
|
||||
var port = new FakeIdentityTokenReadPort();
|
||||
var useCase = new IssueIdentityTokenUseCase(port);
|
||||
var useCase = new IssueIdentityTokenUseCase(port, decisionService);
|
||||
|
||||
var response = await useCase.HandleAsync(new IssueIdentityTokenRequest("user-1", "tenant-1"));
|
||||
|
||||
@ -20,9 +24,9 @@ public class IssueIdentityTokenUseCaseTests
|
||||
|
||||
private sealed class FakeIdentityTokenReadPort : IIdentityTokenReadPort
|
||||
{
|
||||
public Task<IssueIdentityTokenResponse> IssueTokenAsync(IssueIdentityTokenRequest request)
|
||||
public Task<IdentityTokenData> ReadTokenAsync(IssueIdentityTokenRequest request)
|
||||
{
|
||||
return Task.FromResult(new IssueIdentityTokenResponse("token-123", 3600));
|
||||
return Task.FromResult(new IdentityTokenData("token-123", 3600, IdentityAuthProvider.InternalJwt));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -0,0 +1,99 @@
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
using BuildingBlock.Identity.Contracts.Conventions;
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
using Thalos.Service.Application.Adapters;
|
||||
using Thalos.Service.Application.DependencyInjection;
|
||||
using Thalos.Service.Application.Grpc;
|
||||
using Thalos.Service.Application.UseCases;
|
||||
|
||||
namespace Thalos.Service.Application.UnitTests;
|
||||
|
||||
public class RuntimeWiringTests
|
||||
{
|
||||
[Fact]
|
||||
public async Task AddThalosServiceRuntime_WhenInvoked_ResolvesUseCases()
|
||||
{
|
||||
var services = new ServiceCollection();
|
||||
services.AddThalosServiceRuntime();
|
||||
|
||||
using var provider = services.BuildServiceProvider();
|
||||
var issueTokenUseCase = provider.GetRequiredService<IIssueIdentityTokenUseCase>();
|
||||
var evaluatePolicyUseCase = provider.GetRequiredService<IEvaluateIdentityPolicyUseCase>();
|
||||
|
||||
var tokenResponse = await issueTokenUseCase.HandleAsync(new IssueIdentityTokenRequest("user-1", "tenant-1"));
|
||||
var policyResponse = await evaluatePolicyUseCase.HandleAsync(
|
||||
new EvaluateIdentityPolicyRequest("user-1", "tenant-1", "identity.token.issue"));
|
||||
|
||||
Assert.Equal("user-1:tenant-1:token", tokenResponse.Token);
|
||||
Assert.Equal(1800, tokenResponse.ExpiresInSeconds);
|
||||
Assert.True(policyResponse.IsAllowed);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task AddThalosServiceRuntime_WhenSubjectMissing_ReturnsEmptyToken()
|
||||
{
|
||||
var services = new ServiceCollection();
|
||||
services.AddThalosServiceRuntime();
|
||||
|
||||
using var provider = services.BuildServiceProvider();
|
||||
var issueTokenUseCase = provider.GetRequiredService<IIssueIdentityTokenUseCase>();
|
||||
|
||||
var tokenResponse = await issueTokenUseCase.HandleAsync(
|
||||
new IssueIdentityTokenRequest("missing-user", "tenant-1"));
|
||||
|
||||
Assert.Equal(string.Empty, tokenResponse.Token);
|
||||
Assert.Equal(0, tokenResponse.ExpiresInSeconds);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task AddThalosServiceRuntime_WhenAzureProviderUsed_IssuesProviderToken()
|
||||
{
|
||||
var services = new ServiceCollection();
|
||||
services.AddThalosServiceRuntime();
|
||||
|
||||
using var provider = services.BuildServiceProvider();
|
||||
var issueTokenUseCase = provider.GetRequiredService<IIssueIdentityTokenUseCase>();
|
||||
|
||||
var tokenResponse = await issueTokenUseCase.HandleAsync(
|
||||
new IssueIdentityTokenRequest(
|
||||
string.Empty,
|
||||
"tenant-2",
|
||||
IdentityAuthProvider.AzureAd,
|
||||
"azure-id-token"));
|
||||
|
||||
Assert.StartsWith("azure:", tokenResponse.Token);
|
||||
Assert.True(tokenResponse.ExpiresInSeconds > 0);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void IdentityPolicyGrpcContractAdapter_WhenMapped_PreservesValues()
|
||||
{
|
||||
var adapter = new IdentityPolicyGrpcContractAdapter();
|
||||
var useCaseRequest = new EvaluateIdentityPolicyRequest("user-2", "tenant-2", "identity.policy.evaluate");
|
||||
|
||||
var grpcContract = adapter.ToGrpc(useCaseRequest);
|
||||
var roundtrip = adapter.FromGrpc(grpcContract);
|
||||
|
||||
Assert.Equal("user-2", roundtrip.SubjectId);
|
||||
Assert.Equal("tenant-2", roundtrip.TenantId);
|
||||
Assert.Equal("identity.policy.evaluate", roundtrip.PermissionCode);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void IdentityPolicyGrpcContractAdapter_WhenFromGrpc_UsesExpectedContractShape()
|
||||
{
|
||||
var adapter = new IdentityPolicyGrpcContractAdapter();
|
||||
var contract = new EvaluateIdentityPolicyGrpcContract(
|
||||
"subject-9",
|
||||
"tenant-9",
|
||||
"identity.token.issue",
|
||||
IdentityAuthProvider.Google.ToString());
|
||||
|
||||
var request = adapter.FromGrpc(contract);
|
||||
|
||||
Assert.Equal("subject-9", request.SubjectId);
|
||||
Assert.Equal("tenant-9", request.TenantId);
|
||||
Assert.Equal("identity.token.issue", request.PermissionCode);
|
||||
Assert.Equal(IdentityAuthProvider.Google, request.Provider);
|
||||
}
|
||||
}
|
||||
@ -7,6 +7,7 @@
|
||||
</PropertyGroup>
|
||||
<ItemGroup>
|
||||
<PackageReference Include="coverlet.collector" Version="6.0.4" />
|
||||
<PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="10.0.0" />
|
||||
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
|
||||
<PackageReference Include="xunit" Version="2.9.3" />
|
||||
<PackageReference Include="xunit.runner.visualstudio" Version="3.1.4" />
|
||||
@ -16,6 +17,5 @@
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ProjectReference Include="..\..\src\Thalos.Service.Application\Thalos.Service.Application.csproj" />
|
||||
<ProjectReference Include="..\..\src\Thalos.Service.Identity.Abstractions\Thalos.Service.Identity.Abstractions.csproj" />
|
||||
</ItemGroup>
|
||||
</Project>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user