mc/mcdsl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add auth package: MCIAS token validation with caching

Browse Source 
- Authenticator with Login, ValidateToken, Logout
- 30-second SHA-256-keyed cache with lazy eviction
- TLS 1.3, custom CA support, service context (name + tags)
- Error types: ErrInvalidToken, ErrInvalidCredentials,
  ErrForbidden, ErrUnavailable
- Context helpers for TokenInfo propagation
- 14 tests with mock MCIAS server and injectable clock

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-25 14:24:52 -07:00
parent 8b4db22c93
commit 38da2e9a4b
5 changed files with 741 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
PROGRESS.md
View File

@@ -2,7 +2,7 @@
## Current State
Phase 1 complete. The `db` package is implemented and tested.
Phase 2 complete. The `db` and `auth` packages are implemented and tested.
## Completed
@@ -24,11 +24,28 @@ Phase 1 complete. The `db` package is implemented and tested.
- `SchemaVersion(database *sql.DB) (int, error)` — highest applied version
- `Snapshot(database *sql.DB, destPath string) error` — VACUUM INTO with
0600 permissions, creates parent dirs
- 11 tests: open (pragmas, permissions, parent dir, existing DB), migrate
(fresh, idempotent, incremental, records name), schema version (empty),
snapshot (data integrity, permissions, parent dir)
- `make all` passes clean (vet, lint 0 issues, 11/11 tests, build)
- 11 tests covering open, migrate, and snapshot
### Phase 2: `auth` — MCIAS Token Validation (2026-03-25)
- `Config` type matching `[mcias]` TOML section (ServerURL, CACert,
ServiceName, Tags)
- `TokenInfo` type (Username, Roles, IsAdmin)
- `New(cfg Config, logger *slog.Logger) (*Authenticator, error)` — creates
MCIAS client with TLS 1.3, custom CA support, 10s timeout
- `Login(username, password, totpCode string) (token, expiresAt, err)`
forwards to MCIAS with service context, returns ErrForbidden for policy
denials, ErrInvalidCredentials for bad creds
- `ValidateToken(token string) (*TokenInfo, error)` — 30s SHA-256-keyed
cache, lazy eviction, concurrent-safe (RWMutex)
- `Logout(token string) error` — revokes token on MCIAS
- Error types: ErrInvalidToken, ErrInvalidCredentials, ErrForbidden,
ErrUnavailable
- Context helpers: ContextWithTokenInfo, TokenInfoFromContext
- 14 tests: login (success, invalid creds, forbidden), validate (admin,
non-admin, expired, unknown), cache (hit, expiry via injectable clock),
logout, constructor validation, context roundtrip, admin detection
- `make all` passes clean (vet, lint 0 issues, 25 total tests, build)
## Next Steps
- Phase 2: `auth` package (MCIAS token validation with caching)
- Phase 3: `config` package (TOML loading, env overrides, standard sections)