Add AccountType to TokenInfo
- TokenInfo now includes AccountType ("human" or "system") from the
MCIAS validate response
- Required for policy engines (MCR, Metacrypt) that match on account type
- Mock MCIAS in tests updated to return account_type
- New assertion in TestValidateToken verifies AccountType is populated
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -73,6 +73,11 @@ type TokenInfo struct {
|
|||||||
// Username is the MCIAS username (the "sub" claim).
|
// Username is the MCIAS username (the "sub" claim).
|
||||||
Username string
|
Username string
|
||||||
|
|
||||||
|
// AccountType is the MCIAS account type: "human" or "system".
|
||||||
|
// Used by policy engines that need to distinguish interactive users
|
||||||
|
// from service accounts.
|
||||||
|
AccountType string
|
||||||
|
|
||||||
// Roles is the set of MCIAS roles assigned to the account.
|
// Roles is the set of MCIAS roles assigned to the account.
|
||||||
Roles []string
|
Roles []string
|
||||||
|
|
||||||
@@ -196,6 +201,7 @@ func (a *Authenticator) ValidateToken(token string) (*TokenInfo, error) {
|
|||||||
Valid bool `json:"valid"`
|
Valid bool `json:"valid"`
|
||||||
Sub string `json:"sub"`
|
Sub string `json:"sub"`
|
||||||
Username string `json:"username"`
|
Username string `json:"username"`
|
||||||
|
AccountType string `json:"account_type"`
|
||||||
Roles []string `json:"roles"`
|
Roles []string `json:"roles"`
|
||||||
}
|
}
|
||||||
status, err := a.doJSON(http.MethodPost, "/v1/token/validate",
|
status, err := a.doJSON(http.MethodPost, "/v1/token/validate",
|
||||||
@@ -210,6 +216,7 @@ func (a *Authenticator) ValidateToken(token string) (*TokenInfo, error) {
|
|||||||
|
|
||||||
info := &TokenInfo{
|
info := &TokenInfo{
|
||||||
Username: resp.Username,
|
Username: resp.Username,
|
||||||
|
AccountType: resp.AccountType,
|
||||||
Roles: resp.Roles,
|
Roles: resp.Roles,
|
||||||
IsAdmin: hasRole(resp.Roles, "admin"),
|
IsAdmin: hasRole(resp.Roles, "admin"),
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -57,6 +57,7 @@ func mockMCIAS(t *testing.T) *httptest.Server {
|
|||||||
"valid": true,
|
"valid": true,
|
||||||
"sub": "uuid-admin",
|
"sub": "uuid-admin",
|
||||||
"username": "admin",
|
"username": "admin",
|
||||||
|
"account_type": "human",
|
||||||
"roles": []string{"admin", "user"},
|
"roles": []string{"admin", "user"},
|
||||||
})
|
})
|
||||||
case "tok-user-456":
|
case "tok-user-456":
|
||||||
@@ -65,6 +66,7 @@ func mockMCIAS(t *testing.T) *httptest.Server {
|
|||||||
"valid": true,
|
"valid": true,
|
||||||
"sub": "uuid-user",
|
"sub": "uuid-user",
|
||||||
"username": "alice",
|
"username": "alice",
|
||||||
|
"account_type": "human",
|
||||||
"roles": []string{"user"},
|
"roles": []string{"user"},
|
||||||
})
|
})
|
||||||
case "tok-expired":
|
case "tok-expired":
|
||||||
@@ -154,6 +156,9 @@ func TestValidateToken(t *testing.T) {
|
|||||||
if info.Username != "admin" {
|
if info.Username != "admin" {
|
||||||
t.Fatalf("Username = %q, want %q", info.Username, "admin")
|
t.Fatalf("Username = %q, want %q", info.Username, "admin")
|
||||||
}
|
}
|
||||||
|
if info.AccountType != "human" {
|
||||||
|
t.Fatalf("AccountType = %q, want %q", info.AccountType, "human")
|
||||||
|
}
|
||||||
if !info.IsAdmin {
|
if !info.IsAdmin {
|
||||||
t.Fatal("IsAdmin = false, want true")
|
t.Fatal("IsAdmin = false, want true")
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user