MasterMito/work-club-manager
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 1 Wiki Activity

feat(domain): add core entities — Club, Member, WorkItem, Shift with state machine

Browse Source 
- Create domain entities in WorkClub.Domain/Entities: Club, Member, WorkItem, Shift, ShiftSignup
- Implement enums: SportType, ClubRole, WorkItemStatus
- Add ITenantEntity interface for multi-tenancy support
- Implement state machine validation on WorkItem with C# 14 switch expressions
- Valid transitions: Open→Assigned→InProgress→Review→Done, Review→InProgress (rework)
- All invalid transitions throw InvalidOperationException
- TDD approach: Write tests first, 12/12 passing
- Use required properties with explicit Guid/Guid? for foreign keys
- DateTimeOffset for timestamps (timezone-aware, multi-tenant friendly)
- RowVersion byte[] for optimistic concurrency control
- No navigation properties yet (deferred to EF Core task)
- No domain events or validation attributes (YAGNI for MVP)
This commit is contained in:
WorkClub Automation
2026-03-03 14:09:25 +01:00
parent cf7b47cb69
commit ba024c45be
64 changed files with 4598 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
infra/k8s/base/backend-deployment.yaml Normal file
View File

@@ -0,0 +1,74 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: workclub-api
labels:
app: workclub-api
component: backend
spec:
replicas: 1
selector:
matchLabels:
app: workclub-api
template:
metadata:
labels:
app: workclub-api
component: backend
spec:
containers:
- name: api
image: workclub-api:latest
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 8080
protocol: TCP
startupProbe:
httpGet:
path: /health/startup
port: http
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 30
livenessProbe:
httpGet:
path: /health/live
port: http
initialDelaySeconds: 10
periodSeconds: 15
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /health/ready
port: http
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 2
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
env:
- name: ASPNETCORE_ENVIRONMENT
value: "Development"
- name: ASPNETCORE_URLS
value: "http://+:8080"
- name: ConnectionStrings__DefaultConnection
valueFrom:
secretKeyRef:
name: workclub-secrets
key: database-connection-string
- name: Keycloak__Url
valueFrom:
configMapKeyRef:
name: workclub-config
key: keycloak-url

16
infra/k8s/base/backend-service.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: workclub-api
labels:
app: workclub-api
component: backend
spec:
type: ClusterIP
selector:
app: workclub-api
ports:
- name: http
port: 80
targetPort: 8080
protocol: TCP

41
infra/k8s/base/configmap.yaml Normal file
View File

@@ -0,0 +1,41 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: workclub-config
labels:
app: workclub
data:
log-level: "Information"
cors-origins: "http://localhost:3000"
api-base-url: "http://workclub-api"
keycloak-url: "http://workclub-keycloak"
keycloak-realm: "workclub"
# Database configuration
database-host: "workclub-postgres"
database-port: "5432"
database-name: "workclub"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: postgres-init
labels:
app: workclub-postgres
data:
init.sql: |
-- Create keycloak database and user
CREATE DATABASE keycloak;
CREATE USER keycloak WITH PASSWORD 'keycloakpass';
GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;
-- Keycloak database permissions
\c keycloak
GRANT ALL PRIVILEGES ON SCHEMA public TO keycloak;
ALTER SCHEMA public OWNER TO keycloak;
-- Application database permissions
\c workclub
GRANT ALL PRIVILEGES ON SCHEMA public TO app;
ALTER SCHEMA public OWNER TO app;

64
infra/k8s/base/frontend-deployment.yaml Normal file
View File

@@ -0,0 +1,64 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: workclub-frontend
labels:
app: workclub-frontend
component: frontend
spec:
replicas: 1
selector:
matchLabels:
app: workclub-frontend
template:
metadata:
labels:
app: workclub-frontend
component: frontend
spec:
containers:
- name: frontend
image: workclub-frontend:latest
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 3000
protocol: TCP
readinessProbe:
httpGet:
path: /api/health
port: http
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 2
livenessProbe:
httpGet:
path: /api/health
port: http
initialDelaySeconds: 10
periodSeconds: 15
timeoutSeconds: 5
failureThreshold: 3
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
env:
- name: NODE_ENV
value: "production"
- name: NEXT_PUBLIC_API_URL
valueFrom:
configMapKeyRef:
name: workclub-config
key: api-base-url
- name: NEXT_PUBLIC_KEYCLOAK_URL
valueFrom:
configMapKeyRef:
name: workclub-config
key: keycloak-url

16
infra/k8s/base/frontend-service.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: workclub-frontend
labels:
app: workclub-frontend
component: frontend
spec:
type: ClusterIP
selector:
app: workclub-frontend
ports:
- name: http
port: 80
targetPort: 3000
protocol: TCP

25
infra/k8s/base/ingress.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: workclub-ingress
labels:
app: workclub
spec:
rules:
- host: localhost
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: workclub-frontend
port:
number: 80
- path: /api
pathType: Prefix
backend:
service:
name: workclub-api
port:
number: 80

81
infra/k8s/base/keycloak-deployment.yaml Normal file
View File

@@ -0,0 +1,81 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: workclub-keycloak
labels:
app: workclub-keycloak
component: auth
spec:
replicas: 1
selector:
matchLabels:
app: workclub-keycloak
template:
metadata:
labels:
app: workclub-keycloak
component: auth
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:26.1
imagePullPolicy: IfNotPresent
command:
- start
ports:
- name: http
containerPort: 8080
protocol: TCP
readinessProbe:
httpGet:
path: /health/ready
port: http
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 2
livenessProbe:
httpGet:
path: /health/live
port: http
initialDelaySeconds: 20
periodSeconds: 15
timeoutSeconds: 5
failureThreshold: 3
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
env:
- name: KC_DB
value: postgres
- name: KC_DB_URL_HOST
value: workclub-postgres
- name: KC_DB_URL_PORT
value: "5432"
- name: KC_DB_URL_DATABASE
value: keycloak
- name: KC_DB_USERNAME
value: keycloak
- name: KC_DB_PASSWORD
valueFrom:
secretKeyRef:
name: workclub-secrets
key: keycloak-db-password
- name: KEYCLOAK_ADMIN
value: admin
- name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: workclub-secrets
key: keycloak-admin-password
- name: KC_HOSTNAME_STRICT
value: "false"
- name: KC_PROXY
value: "edge"
- name: KC_HTTP_ENABLED
value: "true"

16
infra/k8s/base/keycloak-service.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: workclub-keycloak
labels:
app: workclub-keycloak
component: auth
spec:
type: ClusterIP
selector:
app: workclub-keycloak
ports:
- name: http
port: 80
targetPort: 8080
protocol: TCP

14
infra/k8s/base/kustomization.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- backend-deployment.yaml
- backend-service.yaml
- frontend-deployment.yaml
- frontend-service.yaml
- postgres-statefulset.yaml
- postgres-service.yaml
- keycloak-deployment.yaml
- keycloak-service.yaml
- configmap.yaml
- ingress.yaml

37
infra/k8s/base/postgres-service.yaml Normal file
View File

@@ -0,0 +1,37 @@
---
apiVersion: v1
kind: Service
metadata:
name: workclub-postgres-headless
labels:
app: workclub-postgres
component: database
spec:
type: ClusterIP
clusterIP: None
selector:
app: workclub-postgres
ports:
- name: postgresql
port: 5432
targetPort: 5432
protocol: TCP
publishNotReadyAddresses: true
---
apiVersion: v1
kind: Service
metadata:
name: workclub-postgres
labels:
app: workclub-postgres
component: database
spec:
type: ClusterIP
selector:
app: workclub-postgres
ports:
- name: postgresql
port: 5432
targetPort: 5432
protocol: TCP

91
infra/k8s/base/postgres-statefulset.yaml Normal file
View File

@@ -0,0 +1,91 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: workclub-postgres
labels:
app: workclub-postgres
component: database
spec:
serviceName: workclub-postgres-headless
replicas: 1
selector:
matchLabels:
app: workclub-postgres
template:
metadata:
labels:
app: workclub-postgres
component: database
spec:
containers:
- name: postgres
image: postgres:16-alpine
imagePullPolicy: IfNotPresent
ports:
- name: postgresql
containerPort: 5432
protocol: TCP
livenessProbe:
exec:
command:
- /bin/sh
- -c
- pg_isready -U app -d workclub
initialDelaySeconds: 10
periodSeconds: 15
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
exec:
command:
- /bin/sh
- -c
- pg_isready -U app -d workclub
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 2
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
env:
- name: POSTGRES_DB
value: workclub
- name: POSTGRES_USER
value: app
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: workclub-secrets
key: postgres-password
volumeMounts:
- name: postgres-data
mountPath: /var/lib/postgresql/data
subPath: postgres
- name: postgres-init
mountPath: /docker-entrypoint-initdb.d
volumes:
- name: postgres-init
configMap:
name: postgres-init
items:
- key: init.sql
path: init.sql
volumeClaimTemplates:
- metadata:
name: postgres-data
spec:
accessModes:
- ReadWriteOnce
storageClassName: standard
resources:
requests:
storage: 10Gi

141
infra/keycloak/test-auth.sh Executable file
View File

@@ -0,0 +1,141 @@
#!/bin/bash
set -euo pipefail
# Test script for Keycloak authentication and JWT claims verification
# This script validates the realm configuration after import
KEYCLOAK_URL="${KEYCLOAK_URL:-http://localhost:8080}"
REALM="workclub"
CLIENT_ID="workclub-app"
# Color output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
echo "=== Keycloak Authentication Test ==="
echo "Keycloak URL: $KEYCLOAK_URL"
echo "Realm: $REALM"
echo ""
# Wait for Keycloak to be ready
echo "Waiting for Keycloak to be ready..."
max_attempts=60
attempt=0
while ! curl -sf "$KEYCLOAK_URL/health/ready" > /dev/null; do
attempt=$((attempt + 1))
if [ $attempt -ge $max_attempts ]; then
echo -e "${RED}✗ Keycloak failed to become ready after $max_attempts attempts${NC}"
exit 1
fi
echo -n "."
sleep 2
done
echo -e "\n${GREEN}✓ Keycloak is ready${NC}\n"
# Test users with expected club memberships
declare -A USERS=(
["admin@test.com"]='{"club-1-uuid":"admin","club-2-uuid":"member"}'
["manager@test.com"]='{"club-1-uuid":"manager"}'
["member1@test.com"]='{"club-1-uuid":"member","club-2-uuid":"member"}'
["member2@test.com"]='{"club-1-uuid":"member"}'
["viewer@test.com"]='{"club-1-uuid":"viewer"}'
)
PASSWORD="testpass123"
EVIDENCE_DIR=".sisyphus/evidence"
mkdir -p "$EVIDENCE_DIR"
RESULTS_FILE="$EVIDENCE_DIR/task-3-user-auth.txt"
JWT_FILE="$EVIDENCE_DIR/task-3-jwt-claims.txt"
# Clear previous results
> "$RESULTS_FILE"
> "$JWT_FILE"
echo "Testing authentication for all users..." | tee -a "$RESULTS_FILE"
echo "=======================================" | tee -a "$RESULTS_FILE"
echo "" | tee -a "$RESULTS_FILE"
success_count=0
failure_count=0
for user in "${!USERS[@]}"; do
expected_clubs="${USERS[$user]}"
echo "Testing: $user" | tee -a "$RESULTS_FILE"
echo "Expected clubs: $expected_clubs" | tee -a "$RESULTS_FILE"
# Request token using direct grant (password grant)
response=$(curl -s -X POST "$KEYCLOAK_URL/realms/$REALM/protocol/openid-connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password" \
-d "client_id=$CLIENT_ID" \
-d "username=$user" \
-d "password=$PASSWORD" \
2>&1)
# Check if token was obtained
if echo "$response" | jq -e '.access_token' > /dev/null 2>&1; then
access_token=$(echo "$response" | jq -r '.access_token')
# Decode JWT (extract payload, base64 decode)
payload=$(echo "$access_token" | cut -d. -f2)
# Add padding if needed for base64
padding=$((4 - ${#payload} % 4))
if [ $padding -ne 4 ]; then
payload="${payload}$(printf '=%.0s' $(seq 1 $padding))"
fi
decoded=$(echo "$payload" | base64 -d 2>/dev/null | jq '.')
# Extract clubs claim
clubs_claim=$(echo "$decoded" | jq -c '.clubs // empty')
if [ -z "$clubs_claim" ]; then
echo -e " ${RED}✗ FAILED: No 'clubs' claim found in JWT${NC}" | tee -a "$RESULTS_FILE"
failure_count=$((failure_count + 1))
elif [ "$clubs_claim" == "$expected_clubs" ]; then
echo -e " ${GREEN}✓ SUCCESS: Clubs claim matches expected value${NC}" | tee -a "$RESULTS_FILE"
success_count=$((success_count + 1))
# Save decoded JWT for first successful user (admin)
if [ "$user" == "admin@test.com" ]; then
echo "=== Decoded JWT for admin@test.com ===" > "$JWT_FILE"
echo "$decoded" | jq '.' >> "$JWT_FILE"
echo "" >> "$JWT_FILE"
echo "=== Clubs Claim ===" >> "$JWT_FILE"
echo "$clubs_claim" | jq '.' >> "$JWT_FILE"
fi
else
echo -e " ${YELLOW}✗ FAILED: Clubs claim mismatch${NC}" | tee -a "$RESULTS_FILE"
echo " Expected: $expected_clubs" | tee -a "$RESULTS_FILE"
echo " Got: $clubs_claim" | tee -a "$RESULTS_FILE"
failure_count=$((failure_count + 1))
fi
echo " Claim type: $(echo "$clubs_claim" | jq -r 'type')" | tee -a "$RESULTS_FILE"
else
echo -e " ${RED}✗ FAILED: Could not obtain access token${NC}" | tee -a "$RESULTS_FILE"
echo " Error: $(echo "$response" | jq -r '.error_description // .error // "Unknown error"')" | tee -a "$RESULTS_FILE"
failure_count=$((failure_count + 1))
fi
echo "" | tee -a "$RESULTS_FILE"
done
echo "=======================================" | tee -a "$RESULTS_FILE"
echo "Summary: $success_count passed, $failure_count failed" | tee -a "$RESULTS_FILE"
echo "" | tee -a "$RESULTS_FILE"
if [ $failure_count -eq 0 ]; then
echo -e "${GREEN}✓ All authentication tests passed!${NC}" | tee -a "$RESULTS_FILE"
echo "Evidence saved to:" | tee -a "$RESULTS_FILE"
echo " - $RESULTS_FILE" | tee -a "$RESULTS_FILE"
echo " - $JWT_FILE" | tee -a "$RESULTS_FILE"
exit 0
else
echo -e "${RED}✗ Some tests failed${NC}" | tee -a "$RESULTS_FILE"
exit 1
fi