Commit Graph

2 Commits

Author SHA1 Message Date
Chiguyong 04ad5966d0 fix(enterprise): ce-debug P3 residual batch — SEC-2 OIDC 验签 + STAND-3 SCIM /scim/v2 + MIG-2 schema 迁移
Test / backend-test (pull_request) Has been cancelled Details
Test / frontend-unit (pull_request) Has been cancelled Details
Test / api-e2e (pull_request) Has been cancelled Details
Test / frontend-e2e (pull_request) Has been cancelled Details
13 项 P3 residual findings 全部清零:

安全/合规
- SEC-2: OIDC id_token 用 JWKS 验签 + IDToken claims_cls 校验 iss/aud/exp(fail-closed,无 jwks_uri 时拒绝回退)
- STAND-3: SCIM router 改挂 /scim/v2(RFC 7644 标准路径)+ 修复双重前缀 bug(router 内部 prefix 移除,由挂载点控制)
- API-12/14: SCIM PATCH 严格性 — 不支持的 op/path 返回 400 noTarget + path==None 时遍历 value keys

性能/可观测
- PERF-6/7: gateway cache metric 修正 — None usage 早退 + 仅对 anthropic/claude model 记录 cache hit/miss

部署/运维
- DEPLOY-8: key-rotation-runbook 拆分 Slot 10(Redis)/Slot 11(PostgreSQL)
- DEPLOY-9: Helm chart 支持 image.digest pinning(@sha256:<digest> 覆盖 tag)

迁移/维护
- MIG-2: auth DB schema 迁移注册表(_SCHEMA_MIGRATIONS dict + _run_schema_migrations 按 version 差值执行)
- MAINT-2: bitable delete_view 三态错误信息(不存在 vs 最后一视图 vs 并发竞争)
- MAINT-3: chatStream 提取 findStreamingSynthesisMilestone helper(去重 team_synthesis_chunk/team_synthesis 谓词)
- MAINT-4 + STAND-2: 前端测试 token 正则 helper + replace 加 g 标志(移除所有 :root 块)

验证:ruff check + format(P3 文件全过)| pytest 526 passed(calendar webhook SSRF 失败为 pre-existing)| helm lint 通过
2026-07-06 12:18:42 +08:00
Chiguyong d3bd0d3b5f feat(auth): U4 — SSO 集成 (OIDC + SAML + SCIM + RBAC 审计)
实现 U4 SSO 集成,按 R1a 多 IDP 信任边界(按 (idp_name, idp_subject)
主键关联,禁止邮箱合并)、R1b 过渡期手动 deprovisioning、R1c 单租户假设。

- OIDC 适配器 (authlib):redirect flow + JIT 用户创建(KTD-2)
  GET  /auth/oauth/{provider}/redirect → IDP authorize
  GET  /auth/oauth/{provider}/callback  → token + userinfo + 关联本地用户
- SAML 适配器 (python3-saml):ACS endpoint
  POST /auth/saml/{provider}/acs → 解析 NameID + JIT 用户创建
- IDPRegistry (idp_registry.py):多 IDP 注册 + 热证书切换 + 健康隔离
- SCIM 2.0 minimal:bearer token 认证 + push 失败告警
  POST  /scim/v2/Users      (create)
  PATCH /scim/v2/Users/{id} (disable)
  GET   /scim/v2/Users       (filter/list)
- 手动 deprovisioning (R1b):operator/admin RBAC + OTel 审计
  POST /admin/users/{user_id}/deprovision
  POST /admin/users/{user_id}/role        (RBAC 角色变更审计 KTD-8)
- AuthDB schema V5:user_idp_links + auth_audit_log(additive)
- middleware 白名单:auth/oauth/、auth/saml/、scim/v2/ 走前缀匹配

测试:31 个单元测试全部通过(OIDC 8 + SAML 7 + SCIM 9 + Audit 6 + 1 schema)
ponytail 简化:
- _StateCache 进程内 dict + TTL 5min(多实例需 Redis 共享 state)
- OneLogin_Saml2_Auth 同步解析走 asyncio.to_thread 避免阻塞
- SCIM alert 走 OTel span event(无独立告警通道)
- 邮箱冲突时使用 fallback 邮箱(@sso.{provider}.local)保留 UNIQUE 约束
2026-07-06 04:15:02 +08:00