vijay_admin/sentryagent-idp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(phase-3): workstream 4 — AGNTCY Federation

Browse Source 
Implements cross-IdP token verification for the AGNTCY ecosystem:

- Migration 015: federation_partners table (issuer, jwks_uri,
  allowed_organizations JSONB, status, expires_at)
- FederationService: registerPartner (JWKS validation at registration),
  listPartners, getPartner, updatePartner, deletePartner,
  verifyFederatedToken (alg:none rejected, RS256/ES256 only,
  allowedOrganizations filter, expiry enforcement)
- JWKS caching in Redis (TTL: FEDERATION_JWKS_CACHE_TTL_SECONDS);
  cache invalidated on partner delete and jwks_uri change
- FederationController + routes: 5 admin:orgs endpoints +
  POST /federation/verify (agents:read)
- OPA policy: 5 federation admin endpoint → admin:orgs mappings
- 499 unit tests passing; 94.69% statement coverage on FederationService

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
SentryAgent.ai Developer
2026-03-30 10:13:49 +00:00
parent 5e465e596a
commit 03b5de300c
12 changed files with 2092 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
policies/authz.rego
View File

@@ -81,6 +81,18 @@ normalise_path(path) := "/api/v1/organizations" if {
path == "/api/v1/organizations"
}
normalise_path(path) := "/api/v1/federation/partners/:id" if {
regex.match(`^/api/v1/federation/partners/[^/]+$`, path)
}
normalise_path(path) := "/api/v1/federation/partners" if {
path == "/api/v1/federation/partners"
}
normalise_path(path) := "/api/v1/federation/trust" if {
path == "/api/v1/federation/trust"
}
# ─── Core allow rule ──────────────────────────────────────────────────────────
# allow = true if every required scope for the endpoint is present in input.scopes.

7
policies/data/scopes.json
View File

@@ -19,6 +19,11 @@
"PATCH:/api/v1/organizations/:id": ["admin:orgs"],
"DELETE:/api/v1/organizations/:id": ["admin:orgs"],
"POST:/api/v1/organizations/:id/members": ["admin:orgs"],
"GET:/api/v1/agents/:agentId/did/resolve": ["agents:read"]
"GET:/api/v1/agents/:agentId/did/resolve": ["agents:read"],
"POST:/api/v1/federation/trust": ["admin:orgs"],
"GET:/api/v1/federation/partners": ["admin:orgs"],
"GET:/api/v1/federation/partners/:id": ["admin:orgs"],
"PATCH:/api/v1/federation/partners/:id": ["admin:orgs"],
"DELETE:/api/v1/federation/partners/:id": ["admin:orgs"]
}
}