From 1537a928d5b1972c5ccedc0e7e4b03ccc7a56bd3 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Fri, 29 May 2026 09:09:38 +0100 Subject: [PATCH] =?UTF-8?q?decisions(2):=20record=20operator=20SSO-provide?= =?UTF-8?q?r=20policy=20=E2=80=94=20keycloak=20DEFAULT=20for=20all=20recip?= =?UTF-8?q?e=20OIDC;=20authentik=20NOT=20a=20Phase-2=20DONE=20gate=20(enro?= =?UTF-8?q?ll=20only=20if=20a=20recipe=20REQUIRES=20it);=20cryptpad=20OIDC?= =?UTF-8?q?=20under=20keycloak;=20narrow=20DEFERRED=20#9=20authentik=20re-?= =?UTF-8?q?entry=20trigger?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machine-docs/DECISIONS.md | 18 ++++++++++++++++++ machine-docs/DEFERRED.md | 10 ++++++---- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/machine-docs/DECISIONS.md b/machine-docs/DECISIONS.md index c46f39e..53f55f2 100644 --- a/machine-docs/DECISIONS.md +++ b/machine-docs/DECISIONS.md @@ -706,3 +706,21 @@ DEFERRED.md 2026-05-29). Until then, heavy recipes are verified via their maxima (install+backup+restore+custom) with the upgrade tier flagged as a genuine env-level (disk) blocker per plan §7.1 (Adversary sign-off required). The cleanup runbook for an over-full host: `pkill -f run_recipe_ci.py`; `docker stack rm `; remove its volumes+secrets; `docker image prune -f`. + +## SSO-provider policy (operator, 2026-05-29) — keycloak is the DEFAULT; authentik is NOT a DONE gate +Standing policy for all Phase-2 (and later) recipe OIDC/SSO testing: +- **keycloak is the default SSO provider.** Default ALL recipe OIDC tests to keycloak (live-warm WC1). +- **Do NOT test authentik↔keycloak integration**, and do NOT enroll authentik merely to "prove + pluggability" / second-provider coverage. **Phase-2 DONE is NOT gated on authentik.** +- Enroll authentik + add `setup_authentik_realm` (the provider-pluggable backend in + `runner/harness/sso.py`) **ONLY if a recipe genuinely REQUIRES authentik** (cannot work under + keycloak). If it works with keycloak, use keycloak. +- **cryptpad:** its recipe-maintainer upstream SSO test uses authentik, but cc-ci tests cryptpad's OIDC + under **keycloak** (equally valid). Same for any recipe whose upstream happens to use authentik but + functions fine under keycloak. +- The OIDC FLOW primitives (`oidc_password_grant`, `assert_discovery_endpoint`) are already + provider-agnostic; only realm/client SETUP is provider-specific, and we only need the keycloak setup + (`setup_keycloak_realm`) unless/until a recipe forces authentik. +Consequences: DEFERRED #9 (authentik enrollment) re-entry trigger narrowed to "a recipe requires +authentik"; F2-7 (authentik backend) is not a DONE blocker. plan-sso-dep-testing.md §6 updated by the +orchestrator to match. diff --git a/machine-docs/DEFERRED.md b/machine-docs/DEFERRED.md index 8bd1451..6ce7ae8 100644 --- a/machine-docs/DEFERRED.md +++ b/machine-docs/DEFERRED.md @@ -150,10 +150,12 @@ before the build is called done) — but does **not** force closure. recipe-maintainer SSO test uses authentik but that parity port is already deferred above). The SSO harness's OIDC FLOW primitives (`oidc_password_grant`, `assert_discovery_endpoint`) are already provider-agnostic; only `setup_keycloak_realm` is keycloak-specific. -- **Re-entry trigger:** When Q3.4 cryptpad's deferred `oidc_login.py` parity is lifted (cryptpad's - upstream test uses authentik), OR when an additional Q4 recipe enrolls with `DEPS = ["authentik"]`, - OR Phase-2 DONE review (operator may insist on second-provider coverage proving the harness IS - pluggable, not just claimed). +- **Re-entry trigger (NARROWED per operator SSO policy 2026-05-29):** ONLY when a recipe **genuinely + REQUIRES authentik** (cannot work under keycloak). Dropped the former triggers — cryptpad's OIDC is + now tested under **keycloak** (its upstream uses authentik but keycloak is equally valid), and + **Phase-2 DONE is explicitly NOT gated on authentik** (no "prove pluggability"/second-provider/ + DONE-review trigger). keycloak is the default SSO provider for all recipe OIDC tests. See + DECISIONS.md "SSO-provider policy". - **Linked IDEA:** — ### 2026-05-29 — heavy-recipe upgrade tier needs more host disk (28GB too small) — CLOSED @2026-05-29