diff --git a/docs/advanced/provider-capabilities.md b/docs/advanced/provider-capabilities.md index 3960ce2..5d809d4 100644 --- a/docs/advanced/provider-capabilities.md +++ b/docs/advanced/provider-capabilities.md @@ -28,7 +28,7 @@ Naming convention: - dot-separated segments - no whitespace - starts with a letter -- examples: `Identity.Read`, `Identity.Disable`, `IdLE.Entitlement.List` +- examples: `IdLE.Identity.Read`, `IdLE.Identity.Disable`, `IdLE.Entitlement.List` ### Entitlement capability set @@ -79,9 +79,9 @@ The method returns a string list, e.g.: ```powershell $provider | Add-Member -MemberType ScriptMethod -Name GetCapabilities -Value { return @( - 'Identity.Read' - 'Identity.Attribute.Ensure' - 'Identity.Disable' + 'IdLE.Identity.Read' + 'IdLE.Identity.Attribute.Ensure' + 'IdLE.Identity.Disable' ) } -Force ``` @@ -114,7 +114,7 @@ Example: @{ Name = 'Disable identity' Type = 'DisableIdentity' - RequiresCapabilities = @('Identity.Read', 'Identity.Disable') + RequiresCapabilities = @('IdLE.Identity.Read', 'IdLE.Identity.Disable') } ``` diff --git a/docs/usage/steps.md b/docs/usage/steps.md index afb90db..27692f4 100644 --- a/docs/usage/steps.md +++ b/docs/usage/steps.md @@ -105,7 +105,7 @@ For details on declaring OnFailureSteps, see [Workflows](workflows.md). IdLE ships with a small set of built-in steps to keep demos and tests frictionless: -- **IdLE.Step.EnsureAttribute**: converges an identity attribute to the desired value using `With.IdentityKey`, `With.Name`, and `With.Value`. Requires a provider with `EnsureAttribute` and usually the `Identity.Attribute.Ensure` capability. +- **IdLE.Step.EnsureAttribute**: converges an identity attribute to the desired value using `With.IdentityKey`, `With.Name`, and `With.Value`. Requires a provider with `EnsureAttribute` and usually the `IdLE.Identity.Attribute.Ensure` capability. - **IdLE.Step.EnsureEntitlement**: converges an entitlement assignment to `Present` or `Absent` using `With.IdentityKey`, `With.Entitlement` (Kind + Id + optional DisplayName), `With.State`, and optional `With.Provider` (default `Identity`). Requires provider methods `ListEntitlements` plus `GrantEntitlement` or `RevokeEntitlement` and typically the capabilities `IdLE.Entitlement.List` plus `IdLE.Entitlement.Grant|Revoke`. ## Related diff --git a/examples/workflows/joiner-ensureentitlement.psd1 b/examples/workflows/joiner-ensureentitlement.psd1 index 1b02c8c..14347ad 100644 --- a/examples/workflows/joiner-ensureentitlement.psd1 +++ b/examples/workflows/joiner-ensureentitlement.psd1 @@ -6,7 +6,7 @@ Name = 'Ensure Department' Type = 'IdLE.Step.EnsureAttribute' With = @{ IdentityKey = 'user1'; Name = 'Department'; Value = 'IT'; Provider = 'Identity' } - RequiresCapabilities = 'Identity.Attribute.Ensure' + RequiresCapabilities = 'IdLE.Identity.Attribute.Ensure' }, @{ Name = 'Assign demo group' diff --git a/examples/workflows/joiner-with-onfailure.psd1 b/examples/workflows/joiner-with-onfailure.psd1 index f8e0b32..660602b 100644 --- a/examples/workflows/joiner-with-onfailure.psd1 +++ b/examples/workflows/joiner-with-onfailure.psd1 @@ -18,7 +18,7 @@ Value = 'IT' Provider = 'Identity' } - RequiresCapabilities = 'Identity.Attribute.Ensure' + RequiresCapabilities = 'IdLE.Identity.Attribute.Ensure' } @{ Name = 'Assign demo group' diff --git a/src/IdLE.Core/Private/Get-IdleProviderCapabilities.ps1 b/src/IdLE.Core/Private/Get-IdleProviderCapabilities.ps1 index 5a563f0..ec3e4a7 100644 --- a/src/IdLE.Core/Private/Get-IdleProviderCapabilities.ps1 +++ b/src/IdLE.Core/Private/Get-IdleProviderCapabilities.ps1 @@ -61,13 +61,13 @@ function Get-IdleProviderCapabilities { $capabilities += 'IdLE.Entitlement.Revoke' } if ($methodNames -contains 'EnsureAttribute') { - $capabilities += 'Identity.Attribute.Ensure' + $capabilities += 'IdLE.Identity.Attribute.Ensure' } if ($methodNames -contains 'DisableIdentity') { - $capabilities += 'Identity.Disable' + $capabilities += 'IdLE.Identity.Disable' } if ($methodNames -contains 'GetIdentity') { - $capabilities += 'Identity.Read' + $capabilities += 'IdLE.Identity.Read' } $capabilitySource = 'inferred' @@ -90,9 +90,9 @@ function Get-IdleProviderCapabilities { # - dot-separated segments # - no whitespace # - starts with a letter - # Example: 'Entitlement.Write', 'Identity.Attribute.Ensure' + # Example: 'IdLE.Entitlement.Write', 'IdLE.Identity.Attribute.Ensure' if ($s -notmatch '^[A-Za-z][A-Za-z0-9]*(\.[A-Za-z0-9]+)+$') { - throw "Provider capability '$s' is invalid. Expected dot-separated segments like 'Identity.Read' or 'Entitlement.Write'." + throw "Provider capability '$s' is invalid. Expected dot-separated segments like 'IdLE.Identity.Read' or 'IdLE.Entitlement.Write'." } if ($seen.Add($s)) { diff --git a/src/IdLE.Core/Public/New-IdlePlanObject.ps1 b/src/IdLE.Core/Public/New-IdlePlanObject.ps1 index 8014d4e..1f8f7a7 100644 --- a/src/IdLE.Core/Public/New-IdlePlanObject.ps1 +++ b/src/IdLE.Core/Public/New-IdlePlanObject.ps1 @@ -164,7 +164,7 @@ function New-IdlePlanObject { # - starts with a letter if ($s -notmatch '^[A-Za-z][A-Za-z0-9]*(\.[A-Za-z0-9]+)+$') { throw [System.ArgumentException]::new( - ("Workflow step '{0}' declares invalid capability '{1}'. Expected dot-separated segments like 'Identity.Read'." -f $StepName, $s), + ("Workflow step '{0}' declares invalid capability '{1}'. Expected dot-separated segments like 'IdLE.Identity.Read'." -f $StepName, $s), 'Workflow' ) } diff --git a/src/IdLE.Provider.Mock/Public/New-IdleMockIdentityProvider.ps1 b/src/IdLE.Provider.Mock/Public/New-IdleMockIdentityProvider.ps1 index 1ce6950..0c8bd0b 100644 --- a/src/IdLE.Provider.Mock/Public/New-IdleMockIdentityProvider.ps1 +++ b/src/IdLE.Provider.Mock/Public/New-IdleMockIdentityProvider.ps1 @@ -137,9 +137,9 @@ function New-IdleMockIdentityProvider { #> return @( - 'Identity.Read' - 'Identity.Attribute.Ensure' - 'Identity.Disable' + 'IdLE.Identity.Read' + 'IdLE.Identity.Attribute.Ensure' + 'IdLE.Identity.Disable' 'IdLE.Entitlement.List' 'IdLE.Entitlement.Grant' 'IdLE.Entitlement.Revoke' diff --git a/tests/Get-IdleProviderCapabilities.Tests.ps1 b/tests/Get-IdleProviderCapabilities.Tests.ps1 index d3c21b3..0f68fc0 100644 --- a/tests/Get-IdleProviderCapabilities.Tests.ps1 +++ b/tests/Get-IdleProviderCapabilities.Tests.ps1 @@ -21,19 +21,19 @@ Describe 'IdLE.Core - Get-IdleProviderCapabilities (provider capability discover $provider | Add-Member -MemberType ScriptMethod -Name GetCapabilities -Value { return @( - 'Identity.Disable' - 'Identity.Read' - 'Identity.Read' # duplicate on purpose - 'Identity.Attribute.Ensure' + 'IdLE.Identity.Disable' + 'IdLE.Identity.Read' + 'IdLE.Identity.Read' # duplicate on purpose + 'IdLE.Identity.Attribute.Ensure' ) } -Force $caps = Get-IdleProviderCapabilities -Provider $provider $caps | Should -Be @( - 'Identity.Attribute.Ensure' - 'Identity.Disable' - 'Identity.Read' + 'IdLE.Identity.Attribute.Ensure' + 'IdLE.Identity.Disable' + 'IdLE.Identity.Read' ) } @@ -81,9 +81,9 @@ Describe 'IdLE.Core - Get-IdleProviderCapabilities (provider capability discover 'IdLE.Entitlement.Grant' 'IdLE.Entitlement.List' 'IdLE.Entitlement.Revoke' - 'Identity.Attribute.Ensure' - 'Identity.Disable' - 'Identity.Read' + 'IdLE.Identity.Attribute.Ensure' + 'IdLE.Identity.Disable' + 'IdLE.Identity.Read' ) } @@ -97,12 +97,12 @@ Describe 'IdLE.Core - Get-IdleProviderCapabilities (provider capability discover # Also add explicit GetCapabilities (must win) $provider | Add-Member -MemberType ScriptMethod -Name GetCapabilities -Value { - return @('Identity.Read') + return @('IdLE.Identity.Read') } -Force $caps = Get-IdleProviderCapabilities -Provider $provider -AllowInference - $caps | Should -Be @('Identity.Read') + $caps | Should -Be @('IdLE.Identity.Read') } } } diff --git a/tests/New-IdlePlan.Capabilities.Tests.ps1 b/tests/New-IdlePlan.Capabilities.Tests.ps1 index 85b962f..da48845 100644 --- a/tests/New-IdlePlan.Capabilities.Tests.ps1 +++ b/tests/New-IdlePlan.Capabilities.Tests.ps1 @@ -16,7 +16,7 @@ Describe 'New-IdlePlan - required provider capabilities' { @{ Name = 'Disable identity' Type = 'IdLE.Step.DisableIdentity' - RequiresCapabilities = @('Identity.Disable') + RequiresCapabilities = @('IdLE.Identity.Disable') } ) } @@ -29,7 +29,7 @@ Describe 'New-IdlePlan - required provider capabilities' { throw 'Expected an exception but none was thrown.' } catch { - $_.Exception.Message | Should -Match 'MissingCapabilities: Identity\.Disable' + $_.Exception.Message | Should -Match 'MissingCapabilities: IdLE\.Identity\.Disable' $_.Exception.Message | Should -Match 'AffectedSteps: Disable identity' } } @@ -45,7 +45,7 @@ Describe 'New-IdlePlan - required provider capabilities' { @{ Name = 'Disable identity' Type = 'IdLE.Step.DisableIdentity' - RequiresCapabilities = @('Identity.Disable') + RequiresCapabilities = @('IdLE.Identity.Disable') } ) } @@ -55,7 +55,7 @@ Describe 'New-IdlePlan - required provider capabilities' { $provider = [pscustomobject]@{ Name = 'IdentityProvider' } $provider | Add-Member -MemberType ScriptMethod -Name GetCapabilities -Value { - return @('Identity.Disable') + return @('IdLE.Identity.Disable') } -Force $providers = @{ @@ -66,7 +66,7 @@ Describe 'New-IdlePlan - required provider capabilities' { $plan | Should -Not -BeNullOrEmpty $plan.Steps.Count | Should -Be 1 - $plan.Steps[0].RequiresCapabilities | Should -Be @('Identity.Disable') + $plan.Steps[0].RequiresCapabilities | Should -Be @('IdLE.Identity.Disable') } It 'fails fast when an OnFailure step requires capabilities that no provider advertises' { @@ -86,7 +86,7 @@ Describe 'New-IdlePlan - required provider capabilities' { @{ Name = 'Containment' Type = 'IdLE.Step.Containment' - RequiresCapabilities = @('Identity.Disable') + RequiresCapabilities = @('IdLE.Identity.Disable') } ) } @@ -99,7 +99,7 @@ Describe 'New-IdlePlan - required provider capabilities' { throw 'Expected an exception but none was thrown.' } catch { - $_.Exception.Message | Should -Match 'MissingCapabilities: Identity\.Disable' + $_.Exception.Message | Should -Match 'MissingCapabilities: IdLE\.Identity\.Disable' $_.Exception.Message | Should -Match 'AffectedSteps: Containment' } } @@ -121,7 +121,7 @@ Describe 'New-IdlePlan - required provider capabilities' { @{ Name = 'Containment' Type = 'IdLE.Step.Containment' - RequiresCapabilities = @('Identity.Disable') + RequiresCapabilities = @('IdLE.Identity.Disable') } ) } @@ -131,7 +131,7 @@ Describe 'New-IdlePlan - required provider capabilities' { $provider = [pscustomobject]@{ Name = 'IdentityProvider' } $provider | Add-Member -MemberType ScriptMethod -Name GetCapabilities -Value { - return @('Identity.Disable') + return @('IdLE.Identity.Disable') } -Force $providers = @{ @@ -142,7 +142,7 @@ Describe 'New-IdlePlan - required provider capabilities' { $plan | Should -Not -BeNullOrEmpty $plan.OnFailureSteps.Count | Should -Be 1 - $plan.OnFailureSteps[0].RequiresCapabilities | Should -Be @('Identity.Disable') + $plan.OnFailureSteps[0].RequiresCapabilities | Should -Be @('IdLE.Identity.Disable') } It 'validates entitlement capabilities for EnsureEntitlement steps' {