Skip to content

feat: define auth-gating lane for exposed homelab service UIs#197

Open
clubanderson wants to merge 1 commit into
projectbluefin:mainfrom
clubanderson:feat/auth-gating-lane
Open

feat: define auth-gating lane for exposed homelab service UIs#197
clubanderson wants to merge 1 commit into
projectbluefin:mainfrom
clubanderson:feat/auth-gating-lane

Conversation

@clubanderson

Copy link
Copy Markdown
Contributor

Summary

Defines the auth-gating validation lane under the access/TLS epic (#53), closing #61. This layers credential enforcement on top of the HTTPS transport security proven by #58.

  • Adds §6 to docs/homelab-contracts.md defining what counts as acceptable authenticated vs. unauthenticated exposure, with six minimum evidence artifacts
  • Adds tests/homelab_access/test_auth_probe.py with six pytest checks: unauthenticated rejection (401), challenge header validation (WWW-Authenticate: Basic realm="homelab"), bad-credential rejection, valid-credential acceptance, auth-over-TLS evidence, and no-credential-leakage in 401 body
  • Adds argo/homelab-auth-probe.yaml convenience workflow (auth-mode=true)
  • Adds run-homelab-auth Justfile recipe
  • Updates workload matrix and blockers table

Follow-up work called out explicitly

Concern Deferred to
SSO / OIDC identity provider Follow-up issue under #53
OAuth2 proxy pattern Follow-up once IdP is chosen
Session management / token refresh Follow-up with SSO
Per-service auth (API keys, bearer tokens) Service-catalog lanes under #51
Credential rotation / vault Not in scope for baseline
NetworkPolicy restricting auth bypass Follow-up under #53

Links

Test plan

  • just run-homelab-auth submits the workflow with auth-mode=true
  • All six evidence artifacts are produced in /tmp/results/
  • Unauthenticated request returns HTTP 401 with WWW-Authenticate challenge
  • Bad credentials return HTTP 401
  • Valid credentials return HTTP 200 with access-ok
  • 401 response body does not leak credentials

…tbluefin#61)

Add the auth-gating validation lane under the access/TLS epic (projectbluefin#53),
layering credential enforcement on top of the HTTPS transport security
proven by projectbluefin#58.

Changes:
- Add §6 to homelab-contracts.md defining the auth-gating lane with
  minimum evidence requirements (unauthenticated rejection, challenge
  headers, bad-credential rejection, valid-credential acceptance,
  TLS-only auth, no credential leakage in 401 body)
- Add test_auth_probe.py with six pytest checks that produce the
  required evidence artifacts
- Add argo/homelab-auth-probe.yaml convenience workflow for submitting
  the auth lane (auth-mode=true)
- Add run-homelab-auth Justfile recipe
- Update workload matrix table and blockers to reflect projectbluefin#61 implemented
- Explicitly defer SSO/OIDC, OAuth2 proxy, per-service auth, and
  credential rotation as follow-up work

Signed-off-by: Andy Anderson <andy@clubanderson.com>
Signed-off-by: unknown <unknown@users.noreply.github.com>

@hanthor hanthor left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — well-structured test/infra addition, clean code.

@hanthor hanthor left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Service-catalog lane addition. Merge after foundational #202. LGTM.

@hanthor hanthor left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Superseded by #205. This PR implements basic auth-gating (121-line test, 6 tests) but #205 provides a far more comprehensive implementation: 260-line test with 15 tests, TLS integrity checks, artifact capture, better failure diagnostics, more thorough docs.

Both PRs add tests/homelab_access/test_auth_probe.py -- direct file conflict.
Recommendation: Close in favor of #205.

@hanthor hanthor left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: Approved ✅

Part of the structured service-catalog project build-up. Conventional Commits format, referenced issues, consistent with related PRs in the series.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat: define auth-gating lane for exposed homelab service UIs

3 participants