Phases 5, 6, 8: OCI pull/push paths and admin REST API

Phase 5 (OCI pull): internal/oci/ package with manifest GET/HEAD by tag/digest, blob GET/HEAD with repo membership check, tag listing with OCI pagination, catalog listing. Multi-segment repo names via parseOCIPath() right-split routing. DB query layer in internal/db/repository.go. Phase 6 (OCI push): blob uploads (monolithic and chunked) with uploadManager tracking in-progress BlobWriters, manifest push implementing full ARCHITECTURE.md §5 flow in a single SQLite transaction (create repo, upsert manifest, populate manifest_blobs, atomic tag move). Digest verification on both blob commit and manifest push-by-digest. Phase 8 (admin REST): /v1 endpoints for auth (login/logout/health), repository management (list/detail/delete), policy CRUD with engine reload, audit log listing with filters, GC trigger/status stubs. RequireAdmin middleware, platform-standard error format. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 18:25:18 -07:00
parent f5e67bd4aa
commit dddc66f31b
40 changed files with 6832 additions and 7 deletions
--- a/internal/server/admin_repo_test.go
+++ b/internal/server/admin_repo_test.go
@@ -0,0 +1,186 @@
+package server
+
+import (
+	"encoding/json"
+	"testing"
+
+	"git.wntrmute.dev/kyle/mcr/internal/db"
+)
+
+// seedRepoForAdmin inserts a repository with a manifest and tags into the test DB.
+func seedRepoForAdmin(t *testing.T, database *db.DB, name string, tags []string) {
+	t.Helper()
+	_, err := database.Exec(`INSERT INTO repositories (name) VALUES (?)`, name)
+	if err != nil {
+		t.Fatalf("insert repo %q: %v", name, err)
+	}
+	var repoID int64
+	if err := database.QueryRow(`SELECT id FROM repositories WHERE name = ?`, name).Scan(&repoID); err != nil {
+		t.Fatalf("select repo id: %v", err)
+	}
+	_, err = database.Exec(
+		`INSERT INTO manifests (repository_id, digest, media_type, content, size)
+		 VALUES (?, ?, 'application/vnd.oci.image.manifest.v1+json', '{}', 512)`,
+		repoID, "sha256:manifest-"+name,
+	)
+	if err != nil {
+		t.Fatalf("insert manifest: %v", err)
+	}
+	var manifestID int64
+	if err := database.QueryRow(`SELECT id FROM manifests WHERE repository_id = ?`, repoID).Scan(&manifestID); err != nil {
+		t.Fatalf("select manifest id: %v", err)
+	}
+	for _, tag := range tags {
+		_, err := database.Exec(`INSERT INTO tags (repository_id, name, manifest_id) VALUES (?, ?, ?)`,
+			repoID, tag, manifestID)
+		if err != nil {
+			t.Fatalf("insert tag %q: %v", tag, err)
+		}
+	}
+}
+
+func TestAdminListRepos(t *testing.T) {
+	database := openAdminTestDB(t)
+	router, _ := buildAdminRouter(t, database)
+
+	seedRepoForAdmin(t, database, "alpha/app", []string{"latest", "v1.0"})
+	seedRepoForAdmin(t, database, "bravo/lib", []string{"latest"})
+
+	rr := adminReq(t, router, "GET", "/v1/repositories", "")
+	if rr.Code != 200 {
+		t.Fatalf("status: got %d, want 200", rr.Code)
+	}
+
+	var repos []db.RepoMetadata
+	if err := json.NewDecoder(rr.Body).Decode(&repos); err != nil {
+		t.Fatalf("decode: %v", err)
+	}
+	if len(repos) != 2 {
+		t.Fatalf("repo count: got %d, want 2", len(repos))
+	}
+	if repos[0].Name != "alpha/app" {
+		t.Fatalf("first repo: got %q, want %q", repos[0].Name, "alpha/app")
+	}
+	if repos[0].TagCount != 2 {
+		t.Fatalf("tag count: got %d, want 2", repos[0].TagCount)
+	}
+	if repos[0].ManifestCount != 1 {
+		t.Fatalf("manifest count: got %d, want 1", repos[0].ManifestCount)
+	}
+}
+
+func TestAdminListReposEmpty(t *testing.T) {
+	database := openAdminTestDB(t)
+	router, _ := buildAdminRouter(t, database)
+
+	rr := adminReq(t, router, "GET", "/v1/repositories", "")
+	if rr.Code != 200 {
+		t.Fatalf("status: got %d, want 200", rr.Code)
+	}
+
+	var repos []db.RepoMetadata
+	if err := json.NewDecoder(rr.Body).Decode(&repos); err != nil {
+		t.Fatalf("decode: %v", err)
+	}
+	if len(repos) != 0 {
+		t.Fatalf("repo count: got %d, want 0", len(repos))
+	}
+}
+
+func TestAdminListReposPagination(t *testing.T) {
+	database := openAdminTestDB(t)
+	router, _ := buildAdminRouter(t, database)
+
+	seedRepoForAdmin(t, database, "alpha/app", []string{"latest"})
+	seedRepoForAdmin(t, database, "bravo/lib", []string{"latest"})
+	seedRepoForAdmin(t, database, "charlie/svc", []string{"latest"})
+
+	rr := adminReq(t, router, "GET", "/v1/repositories?n=2&offset=0", "")
+	if rr.Code != 200 {
+		t.Fatalf("status: got %d, want 200", rr.Code)
+	}
+
+	var repos []db.RepoMetadata
+	if err := json.NewDecoder(rr.Body).Decode(&repos); err != nil {
+		t.Fatalf("decode: %v", err)
+	}
+	if len(repos) != 2 {
+		t.Fatalf("page 1 count: got %d, want 2", len(repos))
+	}
+}
+
+func TestAdminGetRepoDetail(t *testing.T) {
+	database := openAdminTestDB(t)
+	router, _ := buildAdminRouter(t, database)
+
+	seedRepoForAdmin(t, database, "myorg/myapp", []string{"latest", "v1.0"})
+
+	rr := adminReq(t, router, "GET", "/v1/repositories/myorg/myapp", "")
+	if rr.Code != 200 {
+		t.Fatalf("status: got %d, want 200; body: %s", rr.Code, rr.Body.String())
+	}
+
+	var detail db.RepoDetail
+	if err := json.NewDecoder(rr.Body).Decode(&detail); err != nil {
+		t.Fatalf("decode: %v", err)
+	}
+	if detail.Name != "myorg/myapp" {
+		t.Fatalf("name: got %q, want %q", detail.Name, "myorg/myapp")
+	}
+	if len(detail.Tags) != 2 {
+		t.Fatalf("tag count: got %d, want 2", len(detail.Tags))
+	}
+	if len(detail.Manifests) != 1 {
+		t.Fatalf("manifest count: got %d, want 1", len(detail.Manifests))
+	}
+}
+
+func TestAdminGetRepoDetailNotFound(t *testing.T) {
+	database := openAdminTestDB(t)
+	router, _ := buildAdminRouter(t, database)
+
+	rr := adminReq(t, router, "GET", "/v1/repositories/nonexistent/repo", "")
+	if rr.Code != 404 {
+		t.Fatalf("status: got %d, want 404", rr.Code)
+	}
+}
+
+func TestAdminDeleteRepo(t *testing.T) {
+	database := openAdminTestDB(t)
+	router, _ := buildAdminRouter(t, database)
+
+	seedRepoForAdmin(t, database, "myorg/myapp", []string{"latest"})
+
+	rr := adminReq(t, router, "DELETE", "/v1/repositories/myorg/myapp", "")
+	if rr.Code != 204 {
+		t.Fatalf("status: got %d, want 204; body: %s", rr.Code, rr.Body.String())
+	}
+
+	// Verify it's gone.
+	rr = adminReq(t, router, "GET", "/v1/repositories/myorg/myapp", "")
+	if rr.Code != 404 {
+		t.Fatalf("after delete status: got %d, want 404", rr.Code)
+	}
+}
+
+func TestAdminDeleteRepoNotFound(t *testing.T) {
+	database := openAdminTestDB(t)
+	router, _ := buildAdminRouter(t, database)
+
+	rr := adminReq(t, router, "DELETE", "/v1/repositories/nonexistent/repo", "")
+	if rr.Code != 404 {
+		t.Fatalf("status: got %d, want 404", rr.Code)
+	}
+}
+
+func TestAdminDeleteRepoNonAdmin(t *testing.T) {
+	database := openAdminTestDB(t)
+	router := buildNonAdminRouter(t, database)
+
+	seedRepoForAdmin(t, database, "myorg/myapp", []string{"latest"})
+
+	rr := adminReq(t, router, "DELETE", "/v1/repositories/myorg/myapp", "")
+	if rr.Code != 403 {
+		t.Fatalf("status: got %d, want 403", rr.Code)
+	}
+}