Kyle Isom
3314b7a618
Phase 2 — internal/storage/: Content-addressed blob storage with atomic writes via rename. BlobWriter stages data in uploads dir with running SHA-256 hash, commits by verifying digest then renaming to layers/sha256/<prefix>/<hex>. Reader provides Open, Stat, Delete, Exists with digest validation. Phase 3 — internal/auth/ + internal/server/: MCIAS client with Login and ValidateToken, 30s SHA-256-keyed cache with lazy eviction and injectable clock for testing. TLS 1.3 minimum with optional custom CA cert. Chi router with RequireAuth middleware (Bearer token extraction, WWW-Authenticate header, OCI error format), token endpoint (Basic auth → bearer exchange via MCIAS), and /v2/ version check handler. 52 tests passing (14 storage + 9 auth + 9 server + 20 existing). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
28 lines
758 B
Go
28 lines
758 B
Go
package auth
|
|
|
|
import "context"
|
|
|
|
// Claims represents the validated identity and roles extracted from an
|
|
// MCIAS token.
|
|
type Claims struct {
|
|
Subject string
|
|
AccountType string
|
|
Roles []string
|
|
}
|
|
|
|
// claimsKey is an unexported type used as the context key for Claims,
|
|
// preventing collisions with keys from other packages.
|
|
type claimsKey struct{}
|
|
|
|
// ContextWithClaims returns a new context carrying the given Claims.
|
|
func ContextWithClaims(ctx context.Context, c *Claims) context.Context {
|
|
return context.WithValue(ctx, claimsKey{}, c)
|
|
}
|
|
|
|
// ClaimsFromContext extracts Claims from the context. It returns nil if
|
|
// no claims are present.
|
|
func ClaimsFromContext(ctx context.Context) *Claims {
|
|
c, _ := ctx.Value(claimsKey{}).(*Claims)
|
|
return c
|
|
}
|