Migrate gRPC server to mcdsl grpcserver package
Replace MCR's custom auth, admin, and logging interceptors with the shared mcdsl grpcserver package. This eliminates ~110 lines of interceptor code and uses the same method-map auth pattern used by metacrypt. Key changes: - server.go: delegate to mcdslgrpc.New() for TLS, logging, and auth - interceptors.go: replaced with MethodMap definition (public, auth-required, admin-required) - Handler files: switch from auth.ClaimsFromContext to mcdslauth.TokenInfoFromContext - auth/client.go: add Authenticator() accessor for the underlying mcdsl authenticator - Tests: use mock MCIAS HTTP server instead of fakeValidator interface - Vendor: add mcdsl/grpcserver to vendor directory ListRepositories and GetRepository are now explicitly auth-required (not admin-required), matching the REST API. Previously they were implicitly auth-required by not being in the bypass or admin maps. Security: method map uses default-deny -- unmapped RPCs are rejected. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -15,6 +15,13 @@ type Client struct {
|
||||
auth *mcdslauth.Authenticator
|
||||
}
|
||||
|
||||
// Authenticator returns the underlying mcdsl/auth.Authenticator. This is
|
||||
// used by the gRPC server which delegates auth to the mcdsl grpcserver
|
||||
// package.
|
||||
func (c *Client) Authenticator() *mcdslauth.Authenticator {
|
||||
return c.auth
|
||||
}
|
||||
|
||||
// NewClient creates an auth Client that talks to the MCIAS server at
|
||||
// serverURL. If caCert is non-empty, it is used as a custom CA cert.
|
||||
// TLS 1.3 is required for all HTTPS connections.
|
||||
|
||||
Reference in New Issue
Block a user