Передаем на тест
This commit is contained in:
@@ -78,10 +78,15 @@ frontend/
|
||||
├── src/
|
||||
│ ├── lib/
|
||||
│ │ ├── auth/ # New: Frontend auth stores/logic
|
||||
│ │ └── api/ # Update: Add auth headers to requests
|
||||
│ │ └── api.js # Update: Add auth headers and export core methods
|
||||
│ ├── services/
|
||||
│ │ └── adminService.js # New: Service for admin API operations
|
||||
│ ├── routes/
|
||||
│ │ ├── login/ # New: Login page
|
||||
│ │ └── admin/ # New: Admin dashboard (Users/Roles)
|
||||
│ │ └── admin/
|
||||
│ │ ├── users/ # New: User Management UI
|
||||
│ │ ├── roles/ # New: Role Management UI
|
||||
│ │ └── settings/ # New: ADFS Configuration UI
|
||||
│ └── components/
|
||||
│ └── auth/ # New: Auth components (ProtectedRoute, Login form)
|
||||
```
|
||||
|
||||
@@ -49,6 +49,30 @@ As an administrator, I want to assign specific plugin access rights to users so
|
||||
|
||||
---
|
||||
|
||||
### User Story 4 - Role Management (Priority: P1)
|
||||
|
||||
As an administrator, I want to create and manage roles with specific permissions so that I can easily assign standard access sets to users.
|
||||
|
||||
**Why this priority**: Essential for scalable user management. Assigning individual permissions to every user is tedious and error-prone.
|
||||
|
||||
**Acceptance Scenarios**:
|
||||
|
||||
1. **Given** an administrator, **When** they navigate to the Role Management page, **Then** they see a list of all system roles.
|
||||
2. **Given** an administrator, **When** they create a new role "Auditor" with "READ" permission on "Logs", **Then** the role is saved and available for assignment.
|
||||
3. **Given** an administrator, **When** they update a role's permissions, **Then** all users with that role effectively gain/lose those permissions.
|
||||
|
||||
**Why this priority**: Security is a core requirement. Without granular permissions, all authenticated users would have full administrative access, which defeats the purpose of multi-user support.
|
||||
|
||||
**Independent Test**: Create two users with different permissions (e.g., User A has access to "Backup", User B does not). Verify User A can access the Backup tool while User B receives a 403 Forbidden error.
|
||||
|
||||
**Acceptance Scenarios**:
|
||||
|
||||
1. **Given** a user with "Backup" plugin permission, **When** they navigate to the Backup tool, **Then** the page loads successfully.
|
||||
2. **Given** a user WITHOUT "Backup" plugin permission, **When** they navigate to the Backup tool, **Then** they are denied access (UI hides the link, API returns 403).
|
||||
3. **Given** an administrator, **When** they edit a user's permissions, **Then** the changes take effect immediately or upon next login.
|
||||
|
||||
---
|
||||
|
||||
### User Story 3 - ADFS Integration (Priority: P2)
|
||||
|
||||
As a corporate user, I want to log in using my organization's ADFS credentials so that I don't have to manage a separate password.
|
||||
@@ -78,17 +102,18 @@ As a corporate user, I want to log in using my organization's ADFS credentials s
|
||||
|
||||
- **FR-001**: System MUST support local user authentication via username and password.
|
||||
- **FR-002**: System MUST support authentication via ADFS (Active Directory Federation Services) using standard federation protocols.
|
||||
- **FR-003**: System MUST provide a mechanism to manage users (Create, Read, Update, Delete) - restricted to administrators.
|
||||
- **FR-003**: System MUST provide a web-based interface to manage users (Create, Read, Update, Delete) - restricted to administrators.
|
||||
- **FR-004**: System MUST implement Role-Based Access Control (RBAC) where permissions are assigned to Roles, and Roles are assigned to Users.
|
||||
- **FR-005**: System MUST enforce permissions at the server level for all plugin execution requests.
|
||||
- **FR-006**: System MUST enforce permissions at the user interface level (hide navigation items/buttons for unauthorized plugins).
|
||||
- **FR-007**: System MUST securely store local user credentials.
|
||||
- **FR-008**: System MUST support Just-In-Time (JIT) provisioning for ADFS users ONLY if they belong to a mapped AD group.
|
||||
- **FR-009**: System MUST provide a CLI utility to create an initial administrator account to prevent lockout during first deployment.
|
||||
- **FR-010**: System MUST allow configuring mappings between Active Directory Groups and local System Roles.
|
||||
- **FR-010**: System MUST provide a web-based interface for configuring mappings between Active Directory Groups and local System Roles.
|
||||
- **FR-011**: System MUST use JWT (JSON Web Tokens) for API session management.
|
||||
- **FR-012**: System MUST persist authentication and authorization data in a dedicated SQLite database (`auth.db`).
|
||||
- **FR-013**: System MUST provide a unified login interface supporting both Local (Username/Password) and ADFS (SSO Button) authentication methods simultaneously.
|
||||
- **FR-014**: System MUST provide a web-based interface to manage Roles (Create, Update, Delete) and assign permissions to them.
|
||||
|
||||
### Key Entities
|
||||
|
||||
|
||||
@@ -8,74 +8,81 @@
|
||||
|
||||
*Goal: Initialize the auth database, core dependencies, and backend infrastructure.*
|
||||
|
||||
- [ ] T001 Install backend dependencies (Authlib, Passlib, PyJWT, SQLAlchemy) in `backend/requirements.txt`
|
||||
- [ ] T002 Implement core configuration for Auth and Database in `backend/src/core/auth/config.py`
|
||||
- [ ] T003 Implement database connection logic for `auth.db` in `backend/src/core/database.py`
|
||||
- [ ] T004 Create SQLAlchemy models for User, Role, Permission in `backend/src/models/auth.py`
|
||||
- [ ] T005 Create migration/init script to generate `auth.db` schema in `backend/src/scripts/init_auth_db.py`
|
||||
- [ ] T006 Implement password hashing utility using Passlib in `backend/src/core/auth/security.py`
|
||||
- [ ] T007 Implement JWT token generation and validation logic in `backend/src/core/auth/jwt.py`
|
||||
- [ ] T008 [P] Implement CLI tool for creating the initial admin user in `backend/src/scripts/create_admin.py`
|
||||
- [x] T001 Install backend dependencies (Authlib, Passlib, PyJWT, SQLAlchemy) in `backend/requirements.txt`
|
||||
- [x] T002 Implement core configuration for Auth and Database in `backend/src/core/auth/config.py`
|
||||
- [x] T003 Implement database connection logic for `auth.db` in `backend/src/core/database.py`
|
||||
- [x] T004 Create SQLAlchemy models for User, Role, Permission in `backend/src/models/auth.py`
|
||||
- [x] T005 Create migration/init script to generate `auth.db` schema in `backend/src/scripts/init_auth_db.py`
|
||||
- [x] T006 Implement password hashing utility using Passlib in `backend/src/core/auth/security.py`
|
||||
- [x] T007 Implement JWT token generation and validation logic in `backend/src/core/auth/jwt.py`
|
||||
- [x] T008 [P] Implement CLI tool for creating the initial admin user in `backend/src/scripts/create_admin.py`
|
||||
|
||||
## Phase 2: User Story 1 - Local User Authentication (Priority: P1)
|
||||
|
||||
*Goal: Enable users to log in with username/password and receive a JWT session.*
|
||||
|
||||
- [ ] T009 [US1] Create Pydantic schemas for User, UserCreate, Token in `backend/src/schemas/auth.py`
|
||||
- [ ] T010 [US1] Implement `AuthRepository` for DB operations in `backend/src/core/auth/repository.py`
|
||||
- [ ] T011 [US1] Implement `AuthService` for login logic (verify password, create token) in `backend/src/services/auth_service.py`
|
||||
- [ ] T012 [US1] Create API endpoint `POST /api/auth/login` in `backend/src/api/auth.py`
|
||||
- [ ] T013 [US1] Implement `get_current_user` dependency for JWT verification in `backend/src/dependencies.py`
|
||||
- [ ] T014 [US1] Create API endpoint `GET /api/auth/me` to retrieve current user profile in `backend/src/api/auth.py`
|
||||
- [ ] T043 [US1] Implement session revocation (Logout) endpoint in `backend/src/api/auth.py`
|
||||
- [ ] T044 [US1] Implement account status check (`is_active`) in authentication flow in `backend/src/services/auth_service.py`
|
||||
- [ ] T015 [US1] Implement frontend auth store (Svelte store) in `frontend/src/lib/auth/store.ts`
|
||||
- [ ] T016 [US1] Implement Login Page UI using `src/lib/ui` and `src/lib/i18n` in `frontend/src/routes/login/+page.svelte`
|
||||
- [ ] T017 [US1] Integrate Login Page with Backend API in `frontend/src/routes/login/+page.svelte`
|
||||
- [ ] T018 [US1] Implement `ProtectedRoute` component to redirect unauthenticated users in `frontend/src/components/auth/ProtectedRoute.svelte`
|
||||
- [ ] T037 [US1] Implement password complexity validation logic in `backend/src/core/auth/security.py`
|
||||
- [x] T009 [US1] Create Pydantic schemas for User, UserCreate, Token in `backend/src/schemas/auth.py`
|
||||
- [x] T010 [US1] Implement `AuthRepository` for DB operations in `backend/src/core/auth/repository.py`
|
||||
- [x] T011 [US1] Implement `AuthService` for login logic (verify password, create token) in `backend/src/services/auth_service.py`
|
||||
- [x] T012 [US1] Create API endpoint `POST /api/auth/login` in `backend/src/api/auth.py`
|
||||
- [x] T013 [US1] Implement `get_current_user` dependency for JWT verification in `backend/src/dependencies.py`
|
||||
- [x] T014 [US1] Create API endpoint `GET /api/auth/me` to retrieve current user profile in `backend/src/api/auth.py`
|
||||
- [x] T043 [US1] Implement session revocation (Logout) endpoint in `backend/src/api/auth.py`
|
||||
- [x] T044 [US1] Implement account status check (`is_active`) in authentication flow in `backend/src/services/auth_service.py`
|
||||
- [x] T015 [US1] Implement frontend auth store (Svelte store) in `frontend/src/lib/auth/store.ts`
|
||||
- [x] T016 [US1] Implement Login Page UI using `src/lib/ui` and `src/lib/i18n` in `frontend/src/routes/login/+page.svelte`
|
||||
- [x] T017 [US1] Integrate Login Page with Backend API in `frontend/src/routes/login/+page.svelte`
|
||||
- [x] T018 [US1] Implement `ProtectedRoute` component to redirect unauthenticated users in `frontend/src/components/auth/ProtectedRoute.svelte`
|
||||
- [x] T037 [US1] Implement password complexity validation logic in `backend/src/core/auth/security.py`
|
||||
|
||||
## Phase 3: User Story 2 - Plugin-Based Access Control (Priority: P1)
|
||||
|
||||
*Goal: Restrict access to plugins based on user roles and permissions.*
|
||||
|
||||
- [ ] T019 [US2] Update `PluginBase` to include required permission strings in `backend/src/core/plugin_base.py`
|
||||
- [ ] T020 [US2] Implement `has_permission` dependency for route protection in `backend/src/dependencies.py`
|
||||
- [ ] T021 [US2] Protect existing plugin API routes using `has_permission` in `backend/src/api/routes/*.py`
|
||||
- [ ] T022 [US2] Implement `SystemAdminPlugin` inheriting from `PluginBase` for User/Role management in `backend/src/plugins/system_admin.py`
|
||||
- [ ] T023 [US2] Implement Admin API endpoints within `SystemAdminPlugin` (with pagination) in `backend/src/api/routes/admin.py`
|
||||
- [ ] T024 [US2] Create Admin Dashboard UI using `src/lib/ui` and `src/lib/i18n` in `frontend/src/routes/admin/users/+page.svelte`
|
||||
- [ ] T025 [US2] Update Navigation Bar to hide links and show user profile/logout using `src/lib/ui` in `frontend/src/components/Navbar.svelte`
|
||||
- [ ] T042 [US2] Implement `PermissionGuard` frontend component for granular UI element protection in `frontend/src/components/auth/PermissionGuard.svelte`
|
||||
- [ ] T045 [US2] Implement multi-role permission resolution logic (union of permissions) in `backend/src/services/auth_service.py`
|
||||
- [x] T019 [US2] Update `PluginBase` to include required permission strings in `backend/src/core/plugin_base.py`
|
||||
- [x] T020 [US2] Implement `has_permission` dependency for route protection in `backend/src/dependencies.py`
|
||||
- [x] T021 [US2] Protect existing plugin API routes using `has_permission` in `backend/src/api/routes/*.py`
|
||||
- [x] T022 [US2] Implement `SystemAdminPlugin` inheriting from `PluginBase` for User/Role management in `backend/src/plugins/system_admin.py`
|
||||
- [x] T023 [US2] Implement Admin API endpoints within `SystemAdminPlugin` in `backend/src/api/routes/admin.py`
|
||||
- [ ] T053 [US2] Extend Admin API with User Update/Delete and Role CRUD endpoints in `backend/src/api/routes/admin.py`
|
||||
- [ ] T054 [US2] Add Pydantic schemas for UserUpdate, RoleCreate, RoleUpdate in `backend/src/schemas/auth.py`
|
||||
- [x] T051 [US2] Implement `adminService.js` for frontend API orchestration
|
||||
- [ ] T055 [US2] Update `adminService.js` with new CRUD methods
|
||||
- [x] T024 [US2] Create Admin Dashboard UI using `src/lib/ui` and `src/lib/i18n` in `frontend/src/routes/admin/users/+page.svelte`
|
||||
- [ ] T056 [US2] Update Admin User Dashboard to support Edit/Delete operations in `frontend/src/routes/admin/users/+page.svelte`
|
||||
- [ ] T057 [US4] Create Role Management UI in `frontend/src/routes/admin/roles/+page.svelte`
|
||||
- [x] T025 [US2] Update Navigation Bar to hide links and show user profile/logout using `src/lib/ui` in `frontend/src/components/Navbar.svelte`
|
||||
- [x] T042 [US2] Implement `PermissionGuard` frontend component for granular UI element protection in `frontend/src/components/auth/PermissionGuard.svelte`
|
||||
- [x] T045 [US2] Implement multi-role permission resolution logic (union of permissions) in `backend/src/services/auth_service.py`
|
||||
|
||||
## Phase 4: User Story 3 - ADFS Integration (Priority: P2)
|
||||
|
||||
*Goal: Enable corporate SSO login via ADFS and JIT provisioning.*
|
||||
|
||||
- [ ] T026 [US3] Configure Authlib for ADFS OIDC in `backend/src/core/auth/oauth.py`
|
||||
- [ ] T027 [US3] Create `ADGroupMapping` model in `backend/src/models/auth.py` and update DB init script
|
||||
- [ ] T028 [US3] Implement JIT provisioning logic (create user if maps to group) in `backend/src/services/auth_service.py`
|
||||
- [ ] T029 [US3] Create API endpoints `GET /api/auth/login/adfs` and `GET /api/auth/callback/adfs` in `backend/src/api/auth.py`
|
||||
- [ ] T030 [US3] Update Login Page to include "Login with ADFS" button using `src/lib/ui` in `frontend/src/routes/login/+page.svelte`
|
||||
- [ ] T031 [US3] Implement Admin UI for configuring AD Group Mappings in `frontend/src/routes/admin/settings/+page.svelte`
|
||||
- [ ] T041 [US3] Create ADFS mock provider for local testing and CI in `backend/tests/auth/mock_adfs.py`
|
||||
- [ ] T046 [US3] Implement token refresh logic for ADFS OIDC tokens in `backend/src/core/auth/jwt.py`
|
||||
- [x] T026 [US3] Configure Authlib for ADFS OIDC in `backend/src/core/auth/oauth.py`
|
||||
- [x] T027 [US3] Create `ADGroupMapping` model in `backend/src/models/auth.py` and update DB init script
|
||||
- [x] T028 [US3] Implement JIT provisioning logic (create user if maps to group) in `backend/src/services/auth_service.py`
|
||||
- [x] T029 [US3] Create API endpoints `GET /api/auth/login/adfs` and `GET /api/auth/callback/adfs` in `backend/src/api/auth.py`
|
||||
- [x] T030 [US3] Update Login Page to include "Login with ADFS" button using `src/lib/ui` in `frontend/src/routes/login/+page.svelte`
|
||||
- [x] T031 [US3] Implement Admin UI for configuring AD Group Mappings in `frontend/src/routes/admin/settings/+page.svelte`
|
||||
- [x] T052 [US3] Extend Admin API with AD mapping endpoints in `backend/src/api/routes/admin.py`
|
||||
- [x] T041 [US3] Create ADFS mock provider for local testing and CI in `backend/tests/auth/mock_adfs.py`
|
||||
- [x] T046 [US3] Implement token refresh logic for ADFS OIDC tokens in `backend/src/core/auth/jwt.py`
|
||||
|
||||
## Phase 5: Polish & Security Hardening
|
||||
|
||||
*Goal: Ensure security best practices and smooth UX.*
|
||||
|
||||
- [ ] T032 Ensure all cookies are set with `HttpOnly` and `Secure` flags in `backend/src/api/auth.py`
|
||||
- [ ] T033 Implement rate limiting and account lockout policy in `backend/src/api/auth.py`
|
||||
- [ ] T034 Verify error messages are generic (no username enumeration) across all auth endpoints
|
||||
- [ ] T035 Add "Session Expired" handling in frontend interceptor in `frontend/src/lib/api/client.ts`
|
||||
- [ ] T036 Final manual test of switching between Local and ADFS login flows
|
||||
- [ ] T040 Add confirmation dialogs for destructive admin actions using `src/lib/ui` in `frontend/src/routes/admin/users/+page.svelte`
|
||||
- [ ] T047 Implement audit logging for security events (login, logout, permission changes) in `backend/src/core/auth/logger.py`
|
||||
- [ ] T048 Perform UI accessibility audit (keyboard nav, ARIA alerts) for all auth components
|
||||
- [ ] T049 Implement unit and integration tests for Local Auth and RBAC in `backend/tests/auth/`
|
||||
- [ ] T050 Implement E2E tests for ADFS flow using mock provider in `tests/e2e/auth.spec.ts`
|
||||
- [x] T032 Ensure all cookies are set with `HttpOnly` and `Secure` flags in `backend/src/api/auth.py`
|
||||
- [x] T033 Implement rate limiting and account lockout policy in `backend/src/api/auth.py`
|
||||
- [x] T034 Verify error messages are generic (no username enumeration) across all auth endpoints
|
||||
- [x] T035 Add "Session Expired" handling in frontend interceptor in `frontend/src/lib/api/client.ts`
|
||||
- [x] T036 Final manual test of switching between Local and ADFS login flows
|
||||
- [x] T040 Add confirmation dialogs for destructive admin actions using `src/lib/ui` in `frontend/src/routes/admin/users/+page.svelte`
|
||||
- [x] T047 Implement audit logging for security events (login, logout, permission changes) in `backend/src/core/auth/logger.py`
|
||||
- [x] T048 Perform UI accessibility audit (keyboard nav, ARIA alerts) for all auth components
|
||||
- [x] T049 Implement unit and integration tests for Local Auth and RBAC in `backend/tests/auth/`
|
||||
- [x] T050 Implement E2E tests for ADFS flow using mock provider in `tests/e2e/auth.spec.ts`
|
||||
|
||||
## Dependencies
|
||||
|
||||
|
||||
Reference in New Issue
Block a user