vijay_admin/sentryagent-idp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(phase-3): workstream 4 — AGNTCY Federation

Browse Source 
Implements cross-IdP token verification for the AGNTCY ecosystem:

- Migration 015: federation_partners table (issuer, jwks_uri,
  allowed_organizations JSONB, status, expires_at)
- FederationService: registerPartner (JWKS validation at registration),
  listPartners, getPartner, updatePartner, deletePartner,
  verifyFederatedToken (alg:none rejected, RS256/ES256 only,
  allowedOrganizations filter, expiry enforcement)
- JWKS caching in Redis (TTL: FEDERATION_JWKS_CACHE_TTL_SECONDS);
  cache invalidated on partner delete and jwks_uri change
- FederationController + routes: 5 admin:orgs endpoints +
  POST /federation/verify (agents:read)
- OPA policy: 5 federation admin endpoint → admin:orgs mappings
- 499 unit tests passing; 94.69% statement coverage on FederationService

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
SentryAgent.ai Developer
2026-03-30 10:13:49 +00:00
parent 5e465e596a
commit 03b5de300c
12 changed files with 2092 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/db/migrations/015_create_federation_partners_table.sql Normal file
View File

@@ -0,0 +1,17 @@
-- federation_partners: trusted external identity providers whose tokens this IdP will accept.
-- A partner is identified by its issuer URL. Its JWKS are fetched from jwks_uri and cached.
-- allowed_organizations is an optional allowlist of organization_id values from the partner's tokens.
-- An empty array means all organizations from this partner are accepted.
CREATE TABLE IF NOT EXISTS federation_partners (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
name VARCHAR(255) NOT NULL,
issuer VARCHAR(512) NOT NULL UNIQUE,
jwks_uri VARCHAR(512) NOT NULL,
allowed_organizations JSONB NOT NULL DEFAULT '[]',
status VARCHAR(32) NOT NULL DEFAULT 'active', -- 'active' | 'suspended' | 'expired'
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
expires_at TIMESTAMPTZ -- NULL means never expires
);
CREATE INDEX IF NOT EXISTS idx_federation_partners_issuer ON federation_partners(issuer);
CREATE INDEX IF NOT EXISTS idx_federation_partners_status ON federation_partners(status);