Skip to content

150#58

Open
alvagante wants to merge 10 commits into
mainfrom
150
Open

150#58
alvagante wants to merge 10 commits into
mainfrom
150

Conversation

@alvagante

Copy link
Copy Markdown
Member

No description provided.

alvagante added 10 commits June 10, 2026 13:37
- Add EntraIdService with OAuth 2.0 Authorization Code Flow and PKCE support
- Implement ID token validation via JWKS with configurable caching
- Add federated identity provisioning and account linking on first SSO login
- Support automatic group-to-role synchronization from Entra ID claims
- Add database migrations for federated_identities and oauth_state_store tables
- Create /api/auth/entra-id/* routes for login, callback, and token exchange
- Add EntraIdLoginButton component with Microsoft branding for frontend
- Implement server-side ephemeral state store with 10-minute TTL
- Add single-use authorization code flow for secure frontend token delivery
- Update authentication middleware to treat federated and local auth identically
- Add comprehensive unit, integration, and property-based test coverage
- Update configuration schema and environment examples for Entra ID setup
- Add Entra ID integration documentation with setup and group mapping examples
- Ensure zero disruption to existing local authentication flows
- Update Docker image version labels in Dockerfile, Dockerfile.alpine, and Dockerfile.ubuntu
- Bump backend package.json version from 1.4.0 to 1.5.0
- Update backend API server version in health check endpoint
- Bump frontend package.json version from 1.4.0 to 1.5.0
- Update Navigation component to display v1.5.0.alpha
- Bump Helm chart appVersion from 1.4.0 to 1.5.0
- Update root package.json version from 1.4.0 to 1.5.0
- Add comprehensive upgrading.md guide covering Git, Docker, Docker Compose, and Kubernetes deployment methods
- Document database backup requirements and migration behavior before upgrading
- Update README with inline upgrading section and link to full upgrade guide
- Add upgrading link to README documentation navigation
- Update CHANGELOG to reflect v1.5.0 release with v1.4.0 dated as 2026-06-05
- Clarify "classic infrastructure" description to include Kubernetes nodes
- Remove roadmap section and replace version history with CHANGELOG reference
- Consolidate upgrade instructions across all deployment methods with clear step-by-step procedures
- Add console-integration specification with design, requirements, and task documentation
- Archive 70+ completed specifications to done directory including:
* Puppet and PuppetDB integration specs
* Release and testing documentation
* RBAC authorization and SSH integration specs
* Azure and Checkmk integration specs
* Code review fixes and journal enhancements
* Node groups, parallel execution, and Proxmox integration specs
- Reorganize specification structure to separate active work from completed milestones
- Improve project documentation organization for future reference and auditing
…anagement and UI widgets

- Add ConsolePlugin interface and console-specific types for transports, capabilities, and session states
- Implement ConsoleSessionManager service with token generation, session CRUD, validation, and concurrent limits
- Add ConsoleWebSocketProxy service for VNC/SPICE protocol relay and binary stream handling
- Create console configuration schema with timeout, duration, and heartbeat parameters
- Add database migrations for console_sessions and console_permissions tables with RBAC integration
- Implement Proxmox console provider for VNC access to virtual machines
- Add /console API routes for session creation, validation, connection, and termination
- Create 14 property-based tests covering token validation, RBAC, availability, binary relay, malformed input handling, and concurrent limits
- Add frontend widgets: ConsoleViewer, ConsoleAccessWidget, GeneralInfoWidget, LatestActionsWidget, MonitoringSummaryWidget, PuppetRunsWidget
- Implement widget grid layout system with dynamic widget registry for node detail page
- Add ActionRow and WidgetFrame components for consistent widget presentation
- Include comprehensive audit logging for all console session operations
- Update configuration service to parse and validate console environment variables
- Completes console integration specification with full end-to-end functionality from session creation to user access and monitoring
…ame components

- Add property-based tests for widget registry validation (registration preservation, column span clamping, integration filtering)
- Add unit tests for WidgetFrame component (column span application, error badge content, loading skeleton, error state with retry)
- Add unit tests for WidgetGrid component (action row composition, error isolation, integration status error handling)
- Add integration test for WidgetGrid with mocked integration status and test widget registration
- Add mock widget components for testing (MockReadyWidget, MockErrorWidget, MockNeverReadyWidget)
- Fix console API response structure in ConsoleViewer to destructure session from nested response
- Resolve linked/merged node identifiers to provider-specific IDs in getConsoleCapabilities and createSession
- Update IntegrationManager to use cached inventory for node ID resolution without extra fetches
- Update console route handler to resolve FQDN and merged inventory names to provider-specific formats
- Mark completed widget grid specification tasks in project documentation
…ation

- Add new PuppetAgentActionsWidget component for managing Puppet agent operations
- Implement puppetAgentActions widget with registry integration
- Update security middleware to exclude non-credential auth endpoints from rate limiting (GET /providers, POST /refresh, POST /logout, GET /callback)
- Enhance ConsoleAccessWidget with expandable state and integration badges
- Expand GeneralInfoWidget with comprehensive system information display (CPU, memory, disk, network interfaces)
- Update LatestActionsWidget with enhanced filtering and pagination
- Refactor PuppetRunsWidget to support new data structures
- Improve Navigation component with updated styling and route handling
- Add PUBLIC_PATHS set to App.svelte for conditional navigation shell rendering
- Update widget registry with new puppet agent actions widget
- Ensure authenticated users only see navigation and footer on protected route
- Add build tools (python3, make, g++) installation in backend-deps stage
- Update npm install to use --build-from-source flag for sqlite3 compilation
- Apply changes across all Dockerfile variants (standard, Alpine, Ubuntu)
- Resolves glibc version mismatches in Debian bookworm (2.36) and missing musl binaries
- Adds hadolint ignore comments for package manager operations
- Add SSO code detection and exchange in App.svelte before router initialization
- Implement processingSso state to block route rendering during code exchange
- Add loading UI for SSO completion flow with spinner and status message
- Refactor Router.svelte auth guards to use derived state instead of side-effects
- Split authorization logic into separate derived computed property for clarity
- Move redirect side-effects into dedicated $effect block for better control flow
- Add authorized guard check before rendering route components
- Prevent auth guard from firing during SSO callback to avoid race conditions
- Add accessibility attributes (role, aria-label) to loading spinner in Router
- Ensure SSO code is exchanged before setup status check runs
…tion authorization bypass

- Add database migrations for Checkmk write permissions schema
- Implement monitoringActions route with proper authorization checks
- Enforce command-whitelist validation on all execution paths including batch and re-execute endpoints
- Add RBAC middleware to executions router to prevent unauthorized command execution
- Update Checkmk service to support write operations with validated action types
- Add comprehensive security tests for execution authorization and command validation
- Update configuration schema and documentation for new security controls
- Fix WebSocket TLS verification in console proxy to enable upstream certificate validation
- Add security assessment documentation covering auth, RBAC, and command execution vulnerabilities
- Improve PuppetDB service type safety and integration error handling
- Update frontend Checkmk API client and MonitorPage component for write action support
- Add test coverage for new security-sensitive routes and authorization logic
Fixes unauthorized command execution vulnerability (H-1) and improves defense-in-depth validation across integration points.
Copilot AI review requested due to automatic review settings July 2, 2026 08:56
} as unknown as WebSocket;
}

function createMockClientWs(): WebSocket {
const providerNameArb = fc.stringMatching(/^[a-z]{2,12}$/);

/** Arbitrary for provider health state (throws only — timeouts tested separately) */
const unhealthyStateArb = fc.constant<ProviderHealthState>("throws");

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review this pull request because it exceeds the maximum number of lines (20,000). Try reducing the number of changed lines and requesting a review from Copilot again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants