From 34867fba4a37a882c2190e4af137984a56e26d98 Mon Sep 17 00:00:00 2001 From: Eugene Blikh Date: Sun, 26 Apr 2026 15:16:45 +0300 Subject: [PATCH] docs(lethe-oidc-stub): record review pass + conclusion --- docs/tasks/lethe-oidc-stub.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/tasks/lethe-oidc-stub.md b/docs/tasks/lethe-oidc-stub.md index 6fa4dcb0c4537b69be5e352c09feb0b0e5a465a1..211fb7d8757f270a195d5969b4c8712ccce46c80 100644 --- a/docs/tasks/lethe-oidc-stub.md +++ b/docs/tasks/lethe-oidc-stub.md @@ -257,6 +257,25 @@ Rollback per phase: each commit is independently revertable. PH3 alone reverts c ## Conclusion +Outcome: oidcstub lifted to `internal/testutil/oidcstub/` and wired into the daemon as an opt-in dev OP under `auth.oidc.dev_stub`; verify-driven fix-up corrected a pre-existing latent steward injection bug in `OIDCVerifier`. HEAD `05f80f3`. + +Invariants: +- IV1 — `internal/testutil/oidcstub/oidcstub.go` imports stdlib + `go.bigb.es/auxilia/culpa` only. +- IV2 — `OIDCDevStub` registers ahead of `OIDCVerifier` in `cmd/lethe/main.go:134-143`; `TestOIDCDevStub_InitStartsListener_TokenVerifies` and live smoke both confirm verifier discovery resolves. +- IV3 — `TestOIDCDevStub_DisabledIsNoop` covers default-disabled no-listener path; `cmd/lethe/main.go:134` registers the asset only when both flags are true. +- IV4 — `OIDCDevStub` reads from `Cfg.OIDC.{Issuer,Audience,UsernameClaim}` and constructs `oidcstub.New(...)` with the same values; smoke proved verifier accepts stub-minted tokens. +- IV5 — `internal/server/auth/middleware_test.go` retains all 22 OIDC + forward-auth cases passing post-refactor. + +### Assumptions check + +- AS1 — held. Gate is config-only; operator must explicitly set `auth.oidc.dev_stub.enabled: true` in YAML. +- AS2 — held. `coreos/go-oidc/v3` accepted `http://127.0.0.1:8191` in live smoke. +- AS3 — held. `rsa.GenerateKey(rand.Reader, 2048)` is called inside `New` at `oidcstub.go:66`; tokens from a previous run stop verifying after restart by design. + +### Unknowns outcome + +- UK1 — resolved: `/dev/token` accepts only `?sub=` + `?exp=`. No additional claim overrides shipped; the banner + endpoint cover every observed need in execute and verify, and the API can extend additively if a real edge case surfaces. + ### Deviations from plan - PH1 — added `Stub.Issuer() string` getter beyond the planned `SetIssuer`. **Why:** `middleware_test.go` builds `config.OIDCConfig{Issuer: ...}` after `httptest.NewServer` returns, and needs to read the value back from the stub. Read-only; no mutable-state concern.