[Debt] Refactor high-complexity access directory/RBAC/admin flows #13

Open
opened 2026-07-11 12:51:23 +02:00 by zemion · 3 comments
Owner

Xenon/Radon identify high-complexity access functions across directory, auth dependencies, permissions, and admin routes.

Classification: structural maintainability work.

Report evidence:

  • _resolve_legacy_principal_ref rank D.
  • update_group, update_system_account, update_user ranks C+.
  • validate_permissions rank C.
  • display_label, _idm_function_role_sources, _scope_provenance ranks C.

Suggested next steps:

  • Split route request validation, permission checks, and persistence updates.
  • Extract legacy principal resolution into a focused compatibility service.
  • Add regression tests before simplifying RBAC/directory code paths.

Baseline report directory: audit-reports/govoplan-full-20260711-1238

Sequencing Note: After #12

This refactor should follow govoplan-access#12 rather than run ahead of it.

Reasoning:

  • #12 changes the admin list/query shape and should establish pagination, batch loading, and bounded query-count expectations first.
  • Once #12 is closed, this issue can split route request validation, permission checks, persistence updates, and legacy principal resolution with clearer regression coverage.
  • Keep the first refactor slice focused on _resolve_legacy_principal_ref, update_user, update_group, and update_system_account; then move to permission catalog/explanation helpers.
<!-- codex-audit-full-2026-07-11:access-complexity-baseline --> Xenon/Radon identify high-complexity access functions across directory, auth dependencies, permissions, and admin routes. Classification: **structural maintainability work**. Report evidence: - `_resolve_legacy_principal_ref` rank D. - `update_group`, `update_system_account`, `update_user` ranks C+. - `validate_permissions` rank C. - `display_label`, `_idm_function_role_sources`, `_scope_provenance` ranks C. Suggested next steps: - Split route request validation, permission checks, and persistence updates. - Extract legacy principal resolution into a focused compatibility service. - Add regression tests before simplifying RBAC/directory code paths. Baseline report directory: `audit-reports/govoplan-full-20260711-1238` ## Sequencing Note: After #12 This refactor should follow `govoplan-access#12` rather than run ahead of it. Reasoning: - `#12` changes the admin list/query shape and should establish pagination, batch loading, and bounded query-count expectations first. - Once `#12` is closed, this issue can split route request validation, permission checks, persistence updates, and legacy principal resolution with clearer regression coverage. - Keep the first refactor slice focused on `_resolve_legacy_principal_ref`, `update_user`, `update_group`, and `update_system_account`; then move to permission catalog/explanation helpers.
zemion added the
type
debt
module/access
priority
p3
status
ready
codex/ready
labels 2026-07-11 12:51:23 +02:00
zemion added the
audit/complexity
audit/structural
source/security-audit
labels 2026-07-11 16:10:52 +02:00
Author
Owner

Sequencing confirmed: keep this open, but tackle it after govoplan-access#12 finishes the pagination/batch-loading contract and tests.

Sequencing confirmed: keep this open, but tackle it after `govoplan-access#12` finishes the pagination/batch-loading contract and tests.
Author
Owner

Codex State: progress

Summary

  • Started the complexity refactor by splitting legacy principal resolution into focused API-key, session, CSRF, and IDM-context helpers while preserving resolver/capability behavior.

Changed Files

  • src/govoplan_access/backend/auth/dependencies.py
  • tests/test_auth_dependencies.py

Verification

  • PYTHONPATH=/mnt/DATA/git/govoplan-core/src:/mnt/DATA/git/govoplan-access/src:/mnt/DATA/git/govoplan-tenancy/src /mnt/DATA/git/govoplan/.venv/bin/python -m unittest tests.test_optional_tenancy_contract tests.test_admin_pagination tests.test_admin_batch_helpers tests.test_auth_dependencies
  • PYTHONPATH=/mnt/DATA/git/govoplan-core/src:/mnt/DATA/git/govoplan-access/src:/mnt/DATA/git/govoplan-tenancy/src /mnt/DATA/git/govoplan/.venv/bin/python -m compileall -q src tests

Next / Blocked

  • Remaining: split admin mutation route validation/permission/persistence flows for update_user, update_group, and update_system_account, then revisit permission catalog/explanation helpers.

Suggested status label: status/in-progress

## Codex State: progress ### Summary - Started the complexity refactor by splitting legacy principal resolution into focused API-key, session, CSRF, and IDM-context helpers while preserving resolver/capability behavior. ### Changed Files - `src/govoplan_access/backend/auth/dependencies.py` - `tests/test_auth_dependencies.py` ### Verification - `PYTHONPATH=/mnt/DATA/git/govoplan-core/src:/mnt/DATA/git/govoplan-access/src:/mnt/DATA/git/govoplan-tenancy/src /mnt/DATA/git/govoplan/.venv/bin/python -m unittest tests.test_optional_tenancy_contract tests.test_admin_pagination tests.test_admin_batch_helpers tests.test_auth_dependencies` - `PYTHONPATH=/mnt/DATA/git/govoplan-core/src:/mnt/DATA/git/govoplan-access/src:/mnt/DATA/git/govoplan-tenancy/src /mnt/DATA/git/govoplan/.venv/bin/python -m compileall -q src tests` ### Next / Blocked - Remaining: split admin mutation route validation/permission/persistence flows for update_user, update_group, and update_system_account, then revisit permission catalog/explanation helpers. Suggested status label: `status/in-progress`
Author
Owner

Codex State: progress

Summary

  • Further split admin mutation routes: update_user, update_group, and update_system_account now delegate permission checks, persistence/owner validation, and change-sequence recording to focused helpers.

Changed Files

  • src/govoplan_access/backend/api/v1/routes.py

Verification

  • PYTHONPATH=/mnt/DATA/git/govoplan-core/src:/mnt/DATA/git/govoplan-access/src:/mnt/DATA/git/govoplan-tenancy/src /mnt/DATA/git/govoplan/.venv/bin/python -m unittest tests.test_optional_tenancy_contract tests.test_admin_pagination tests.test_admin_batch_helpers tests.test_auth_dependencies
  • PYTHONPATH=/mnt/DATA/git/govoplan-core/src:/mnt/DATA/git/govoplan-access/src:/mnt/DATA/git/govoplan-tenancy/src /mnt/DATA/git/govoplan/.venv/bin/python -m compileall -q src tests
  • /home/zemion/.nvm/versions/node/v22.22.3/bin/npm run build in govoplan-core/webui

Next / Blocked

  • Remaining: permission catalog validation and access explanation helpers still need separate smaller refactor slices before this broad debt issue should close.

Suggested status label: status/in-progress

## Codex State: progress ### Summary - Further split admin mutation routes: update_user, update_group, and update_system_account now delegate permission checks, persistence/owner validation, and change-sequence recording to focused helpers. ### Changed Files - `src/govoplan_access/backend/api/v1/routes.py` ### Verification - `PYTHONPATH=/mnt/DATA/git/govoplan-core/src:/mnt/DATA/git/govoplan-access/src:/mnt/DATA/git/govoplan-tenancy/src /mnt/DATA/git/govoplan/.venv/bin/python -m unittest tests.test_optional_tenancy_contract tests.test_admin_pagination tests.test_admin_batch_helpers tests.test_auth_dependencies` - `PYTHONPATH=/mnt/DATA/git/govoplan-core/src:/mnt/DATA/git/govoplan-access/src:/mnt/DATA/git/govoplan-tenancy/src /mnt/DATA/git/govoplan/.venv/bin/python -m compileall -q src tests` - `/home/zemion/.nvm/versions/node/v22.22.3/bin/npm run build in govoplan-core/webui` ### Next / Blocked - Remaining: permission catalog validation and access explanation helpers still need separate smaller refactor slices before this broad debt issue should close. Suggested status label: `status/in-progress`
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan-access#13
No description provided.