feat: OIDC token validation policy for portal/MCP access control

[ynotbhatc]

Summary

Adds governance/oidc/oidc_token_validation.rego — a cross-cutting OIDC governance policy that validates JWT claims from Keycloak / Red Hat SSO before allowing access to AAC compliance operations.

Policy: governance.oidc

Endpoint: POST :8182/v1/data/governance/oidc

Input schema:

{
  "input": {
    "token": {
      "claims": {
        "sub": "user-uuid",
        "preferred_username": "jsmith",
        "realm_access": { "roles": ["analyst"] }
      }
    },
    "resource": {
      "type": "oscal",
      "framework": "cis_rhel9",
      "hostname": "web-01.example.com"
    }
  }
}

Role model:

Role	Allowed resources
viewer	results, frameworks, hosts, trend
analyst	+ reports, OSCAL export
auditor	+ remediation tracking
admin	+ assessment launch (AAP job templates)

Framework restrictions: OT/critical infrastructure frameworks (nerc_cip, iec_62443, ami_nist_ir7628, nist_800_82) require auditor+ regardless of resource type.

Why it belongs in the library

This is a cross-cutting governance concern reusable by:

• AAC Customer Portal API (FastAPI OIDC middleware calls OPA to authorize resource access)
• MCP server (validates which users can trigger which job templates)
• Any future AAC service that integrates with Keycloak / Red Hat SSO

Placing it in the library alongside governance/mcp/mcp_governance.rego and governance/ai/ keeps all access control policies in one versioned, auditable location.

🤖 Generated with Claude Code