Add identity foundation

.env.example

@@ -13,3 +13,10 @@ VALKEY_PORT=6379
 NATS_CLIENT_PORT=4222
 NATS_MONITOR_PORT=8222
 NATS_SERVER_NAME=nats-dev
+
+# Test compose stack (only required when RUN_INTEGRATION=1 is set)
+AUTHENTIK_SECRET_KEY=
+AUTHENTIK_BOOTSTRAP_PASSWORD=
+AUTHENTIK_BOOTSTRAP_TOKEN=
+ZAGROSI_TEST_SCIM_BEARER=
+ZAGROSI_TEST_USER_PASSWORD=

.github/branch-protection.json

@@ -37,6 +37,9 @@
           { "context": "rust / cargo deny" },
           { "context": "rust / cargo sbom" },
           { "context": "rust / compose smoke" },
+          { "context": "rust / sso-integration" },
+          { "context": "rust / signin-bench" },
+          { "context": "rust / fuzz-smoke" },
           { "context": "web / pnpm lint" },
           { "context": "web / pnpm typecheck" },
           { "context": "web / pnpm test" },

.github/workflows/rust-signin-bench.yml

@@ -0,0 +1,50 @@
+name: rust / signin-bench
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  signin-bench:
+    name: signin-bench
+    runs-on: ubuntu-latest
+    env:
+      CARGO_TERM_COLOR: always
+      RUSTFLAGS: "-D warnings"
+      ZAGROSI_ARGON2_M_COST: "8"
+      ZAGROSI_ARGON2_T_COST: "1"
+      ZAGROSI_ARGON2_P_COST: "1"
+      ZAGROSI_ARGON2_MAX_CONCURRENCY: "1"
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0
+      - name: Compile identity benches
+        run: cargo bench --no-run -p zagrosi-identity
+      - name: Install SAML system dependencies
+        run: sudo apt-get update && sudo apt-get install -y libxmlsec1-dev pkg-config
+      - name: Compile SAML bench
+        run: cargo bench --no-run -p zagrosi-identity --features saml --bench signin_saml_acs_bench
+      - name: Run Argon2 calibration bench
+        run: cargo bench -p zagrosi-identity --bench argon2_calibration
+      - name: Run password sign-in bench
+        run: cargo bench -p zagrosi-identity --bench signin_password_bench
+      - name: Run OIDC callback bench
+        run: cargo bench -p zagrosi-identity --bench signin_oidc_callback_bench
+      - name: Run SAML ACS bench
+        run: cargo bench -p zagrosi-identity --features saml --bench signin_saml_acs_bench
+      - name: Run session resolve bench
+        run: cargo bench -p zagrosi-identity --bench session_resolve_bench
+      - name: Run cold session resolve bench
+        run: cargo bench -p zagrosi-identity --bench session_resolve_bench_cold
+      - name: Gate session resolve throughput
+        run: scripts/check-bench-gate.sh session_resolve_bench 10000
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        if: always()
+        with:
+          name: signin-bench-results
+          path: target/criterion/**/*

.github/workflows/rust.yml

@@ -47,6 +47,8 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0
+      - name: Install SAML system dependencies
+        run: sudo apt-get update && sudo apt-get install -y libxmlsec1-dev pkg-config
       - uses: Swatinem/rust-cache@23869a5bd66c73db3c0ac40331f3206eb23791dc # v2.9.1
         with:
           shared-key: clippy
@@ -63,6 +65,8 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0
+      - name: Install SAML system dependencies
+        run: sudo apt-get update && sudo apt-get install -y libxmlsec1-dev pkg-config
       - uses: Swatinem/rust-cache@23869a5bd66c73db3c0ac40331f3206eb23791dc # v2.9.1
         with:
           shared-key: test
@@ -115,3 +119,81 @@ jobs:
           cp .env.example .env
           chmod +x scripts/smoke-compose.sh
           bash scripts/smoke-compose.sh
+
+  sso-integration:
+    name: rust / sso-integration
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0
+      - uses: Swatinem/rust-cache@23869a5bd66c73db3c0ac40331f3206eb23791dc # v2.9.1
+        with:
+          shared-key: sso-integration
+      - name: Install SAML system dependencies
+        run: sudo apt-get update && sudo apt-get install -y libxmlsec1-dev pkg-config
+      - name: Prepare env
+        run: |
+          cp .env.example .env
+          {
+            echo "POSTGRES_USER=zagrosi"
+            echo "POSTGRES_PASSWORD=smoke-test-password-not-secret"
+            echo "POSTGRES_DB=zagrosi"
+            echo "AUTHENTIK_SECRET_KEY=$(openssl rand -hex 32)"
+            echo "AUTHENTIK_BOOTSTRAP_PASSWORD=$(openssl rand -hex 16)"
+            echo "AUTHENTIK_BOOTSTRAP_TOKEN=$(openssl rand -hex 32)"
+            echo "ZAGROSI_TEST_SCIM_BEARER=scim_$(openssl rand -hex 32)"
+            echo "ZAGROSI_TEST_USER_PASSWORD=$(openssl rand -hex 16)"
+            echo "RUN_INTEGRATION=1"
+          } >> .env
+      - name: Bring up test compose smoke
+        run: |
+          chmod +x scripts/smoke-sso.sh scripts/bootstrap-authentik.sh
+          bash scripts/smoke-sso.sh
+      - name: Bring up test compose for tests
+        run: |
+          set -a; source .env; set +a
+          docker compose -f deploy/docker/compose.yaml -f deploy/docker/compose.test.yaml up -d --wait
+          bash scripts/bootstrap-authentik.sh
+      - name: Run integration tests
+        env:
+          RUN_INTEGRATION: "1"
+          SQLX_OFFLINE: "true"
+          DATABASE_URL: postgres://zagrosi:smoke-test-password-not-secret@127.0.0.1:5432/zagrosi
+        run: cargo test -p zagrosi-identity --features saml --tests --no-fail-fast
+      - name: Tear down
+        if: always()
+        run: |
+          set -a
+          [ ! -f .env ] || source .env
+          set +a
+          docker compose -f deploy/docker/compose.yaml -f deploy/docker/compose.test.yaml down -v --remove-orphans
+
+  fuzz-smoke:
+    name: rust / fuzz-smoke
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0
+        with:
+          toolchain: nightly
+      - uses: Swatinem/rust-cache@23869a5bd66c73db3c0ac40331f3206eb23791dc # v2.9.1
+        with:
+          shared-key: fuzz-smoke
+      - name: Install SAML system dependencies
+        run: sudo apt-get update && sudo apt-get install -y libxmlsec1-dev pkg-config
+      - name: Install cargo-fuzz
+        run: RUSTFLAGS="" cargo +stable install cargo-fuzz --locked --version '^0.12'
+      - name: Build fuzz targets
+        working-directory: crates/zagrosi-identity
+        run: |
+          cargo +nightly fuzz build saml_assertion
+          cargo +nightly fuzz build scim_filter
+          cargo +nightly fuzz build oidc_id_token
+      - name: Smoke each target for 60s
+        working-directory: crates/zagrosi-identity
+        run: |
+          for target in saml_assertion scim_filter oidc_id_token; do
+            cargo +nightly fuzz run "$target" -- -max_total_time=60 -timeout=10
+          done