Batch A: blob storage layer, MCIAS auth, OCI token endpoint

Phase 2 — internal/storage/: Content-addressed blob storage with atomic writes via rename. BlobWriter stages data in uploads dir with running SHA-256 hash, commits by verifying digest then renaming to layers/sha256/<prefix>/<hex>. Reader provides Open, Stat, Delete, Exists with digest validation. Phase 3 — internal/auth/ + internal/server/: MCIAS client with Login and ValidateToken, 30s SHA-256-keyed cache with lazy eviction and injectable clock for testing. TLS 1.3 minimum with optional custom CA cert. Chi router with RequireAuth middleware (Bearer token extraction, WWW-Authenticate header, OCI error format), token endpoint (Basic auth → bearer exchange via MCIAS), and /v2/ version check handler. 52 tests passing (14 storage + 9 auth + 9 server + 20 existing). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 14:51:19 -07:00
parent fde66be9c1
commit 3314b7a618
25 changed files with 1696 additions and 6 deletions
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -0,0 +1,21 @@
+package server
+
+import "github.com/go-chi/chi/v5"
+
+// NewRouter builds the chi router with all OCI Distribution Spec
+// endpoints and auth middleware wired up.
+func NewRouter(validator TokenValidator, loginClient LoginClient, serviceName string) *chi.Mux {
+	r := chi.NewRouter()
+
+	// Token endpoint is NOT behind RequireAuth — clients use Basic auth
+	// here to obtain a bearer token.
+	r.Get("/v2/token", TokenHandler(loginClient))
+
+	// All other /v2 endpoints require a valid bearer token.
+	r.Route("/v2", func(v2 chi.Router) {
+		v2.Use(RequireAuth(validator, serviceName))
+		v2.Get("/", V2Handler())
+	})
+
+	return r
+}