Migrate gRPC server to mcdsl grpcserver package

Replace MCR's custom auth, admin, and logging interceptors with the shared mcdsl grpcserver package. This eliminates ~110 lines of interceptor code and uses the same method-map auth pattern used by metacrypt. Key changes: - server.go: delegate to mcdslgrpc.New() for TLS, logging, and auth - interceptors.go: replaced with MethodMap definition (public, auth-required, admin-required) - Handler files: switch from auth.ClaimsFromContext to mcdslauth.TokenInfoFromContext - auth/client.go: add Authenticator() accessor for the underlying mcdsl authenticator - Tests: use mock MCIAS HTTP server instead of fakeValidator interface - Vendor: add mcdsl/grpcserver to vendor directory ListRepositories and GetRepository are now explicitly auth-required (not admin-required), matching the REST API. Previously they were implicitly auth-required by not being in the bypass or admin maps. Security: method map uses default-deny -- unmapped RPCs are rejected. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 14:46:03 -07:00
parent ef39152f4e
commit 758aa91bfc
11 changed files with 495 additions and 310 deletions
--- a/cmd/mcrsrv/main.go
+++ b/cmd/mcrsrv/main.go
@@ -162,13 +162,13 @@ func runServer(configPath string) error {
 	var grpcLis net.Listener
 	if cfg.Server.GRPCAddr != "" {
 		grpcDeps := grpcserver.Deps{
-			DB:        database,
-			Validator: authClient,
-			Engine:    policyEngine,
-			AuditFn:   auditFn,
-			Collector: collector,
+			DB:            database,
+			Authenticator: authClient.Authenticator(),
+			Engine:        policyEngine,
+			AuditFn:       auditFn,
+			Collector:     collector,
 		}
-		grpcSrv, err = grpcserver.New(cfg.Server.TLSCert, cfg.Server.TLSKey, grpcDeps)
+		grpcSrv, err = grpcserver.New(cfg.Server.TLSCert, cfg.Server.TLSKey, grpcDeps, logger)
 		if err != nil {
 			return fmt.Errorf("create gRPC server: %w", err)
 		}