Batch A: blob storage layer, MCIAS auth, OCI token endpoint

Phase 2 — internal/storage/: Content-addressed blob storage with atomic writes via rename. BlobWriter stages data in uploads dir with running SHA-256 hash, commits by verifying digest then renaming to layers/sha256/<prefix>/<hex>. Reader provides Open, Stat, Delete, Exists with digest validation. Phase 3 — internal/auth/ + internal/server/: MCIAS client with Login and ValidateToken, 30s SHA-256-keyed cache with lazy eviction and injectable clock for testing. TLS 1.3 minimum with optional custom CA cert. Chi router with RequireAuth middleware (Bearer token extraction, WWW-Authenticate header, OCI error format), token endpoint (Basic auth → bearer exchange via MCIAS), and /v2/ version check handler. 52 tests passing (14 storage + 9 auth + 9 server + 20 existing). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 14:51:19 -07:00
parent fde66be9c1
commit 3314b7a618
25 changed files with 1696 additions and 6 deletions
--- a/internal/server/token_test.go
+++ b/internal/server/token_test.go
@@ -0,0 +1,98 @@
+package server
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"git.wntrmute.dev/kyle/mcr/internal/auth"
+)
+
+type fakeLoginClient struct {
+	token     string
+	expiresIn int
+	err       error
+}
+
+func (f *fakeLoginClient) Login(_, _ string) (string, int, error) {
+	return f.token, f.expiresIn, f.err
+}
+
+func TestTokenHandlerSuccess(t *testing.T) {
+	t.Helper()
+	lc := &fakeLoginClient{token: "tok-xyz", expiresIn: 7200}
+	handler := TokenHandler(lc)
+
+	req := httptest.NewRequest(http.MethodGet, "/v2/token", nil)
+	req.SetBasicAuth("alice", "secret")
+	rec := httptest.NewRecorder()
+
+	handler.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status: got %d, want %d", rec.Code, http.StatusOK)
+	}
+
+	var resp tokenResponse
+	if err := json.NewDecoder(rec.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode response: %v", err)
+	}
+	if resp.Token != "tok-xyz" {
+		t.Fatalf("token: got %q, want %q", resp.Token, "tok-xyz")
+	}
+	if resp.ExpiresIn != 7200 {
+		t.Fatalf("expires_in: got %d, want %d", resp.ExpiresIn, 7200)
+	}
+	if resp.IssuedAt == "" {
+		t.Fatal("issued_at: expected non-empty RFC 3339 timestamp")
+	}
+}
+
+func TestTokenHandlerInvalidCreds(t *testing.T) {
+	t.Helper()
+	lc := &fakeLoginClient{err: auth.ErrUnauthorized}
+	handler := TokenHandler(lc)
+
+	req := httptest.NewRequest(http.MethodGet, "/v2/token", nil)
+	req.SetBasicAuth("alice", "wrong")
+	rec := httptest.NewRecorder()
+
+	handler.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusUnauthorized {
+		t.Fatalf("status: got %d, want %d", rec.Code, http.StatusUnauthorized)
+	}
+
+	var ociErr ociErrorResponse
+	if err := json.NewDecoder(rec.Body).Decode(&ociErr); err != nil {
+		t.Fatalf("decode OCI error: %v", err)
+	}
+	if len(ociErr.Errors) != 1 || ociErr.Errors[0].Code != "UNAUTHORIZED" {
+		t.Fatalf("OCI error: got %+v, want UNAUTHORIZED", ociErr.Errors)
+	}
+}
+
+func TestTokenHandlerMissingAuth(t *testing.T) {
+	t.Helper()
+	lc := &fakeLoginClient{token: "should-not-matter"}
+	handler := TokenHandler(lc)
+
+	req := httptest.NewRequest(http.MethodGet, "/v2/token", nil)
+	// No Authorization header.
+	rec := httptest.NewRecorder()
+
+	handler.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusUnauthorized {
+		t.Fatalf("status: got %d, want %d", rec.Code, http.StatusUnauthorized)
+	}
+
+	var ociErr ociErrorResponse
+	if err := json.NewDecoder(rec.Body).Decode(&ociErr); err != nil {
+		t.Fatalf("decode OCI error: %v", err)
+	}
+	if len(ociErr.Errors) != 1 || ociErr.Errors[0].Code != "UNAUTHORIZED" {
+		t.Fatalf("OCI error: got %+v, want UNAUTHORIZED", ociErr.Errors)
+	}
+}