mc/mcr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
185b68ff6d26052794cf0c813b1695c62d6e495d
mcr/internal/server/routes_test.go
Kyle Isom 3314b7a618 Batch A: blob storage layer, MCIAS auth, OCI token endpoint 
Phase 2 — internal/storage/:
Content-addressed blob storage with atomic writes via rename.
BlobWriter stages data in uploads dir with running SHA-256 hash,
commits by verifying digest then renaming to layers/sha256/<prefix>/<hex>.
Reader provides Open, Stat, Delete, Exists with digest validation.

Phase 3 — internal/auth/ + internal/server/:
MCIAS client with Login and ValidateToken, 30s SHA-256-keyed cache
with lazy eviction and injectable clock for testing. TLS 1.3 minimum
with optional custom CA cert.
Chi router with RequireAuth middleware (Bearer token extraction,
WWW-Authenticate header, OCI error format), token endpoint (Basic
auth → bearer exchange via MCIAS), and /v2/ version check handler.

52 tests passing (14 storage + 9 auth + 9 server + 20 existing).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 14:51:19 -07:00

95 lines
2.6 KiB
Go
Raw Blame History

package server
import (
"encoding/json"
"net/http"
"net/http/httptest"
"testing"
"git.wntrmute.dev/kyle/mcr/internal/auth"
)
func TestRoutesV2Authenticated(t *testing.T) {
t.Helper()
validator := &fakeValidator{
claims: &auth.Claims{Subject: "alice", AccountType: "user", Roles: []string{"reader"}},
}
loginClient := &fakeLoginClient{token: "tok-abc", expiresIn: 3600}
router := NewRouter(validator, loginClient, "mcr-test")
req := httptest.NewRequest(http.MethodGet, "/v2/", nil)
req.Header.Set("Authorization", "Bearer valid-token")
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusOK {
t.Fatalf("status: got %d, want %d", rec.Code, http.StatusOK)
}
ct := rec.Header().Get("Content-Type")
if ct != "application/json" {
t.Fatalf("Content-Type: got %q, want %q", ct, "application/json")
}
body := rec.Body.String()
if body != "{}" {
t.Fatalf("body: got %q, want %q", body, "{}")
}
}
func TestRoutesV2Unauthenticated(t *testing.T) {
t.Helper()
validator := &fakeValidator{claims: nil, err: auth.ErrUnauthorized}
loginClient := &fakeLoginClient{}
router := NewRouter(validator, loginClient, "mcr-test")
req := httptest.NewRequest(http.MethodGet, "/v2/", nil)
// No Authorization header.
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusUnauthorized {
t.Fatalf("status: got %d, want %d", rec.Code, http.StatusUnauthorized)
}
wwwAuth := rec.Header().Get("WWW-Authenticate")
want := `Bearer realm="/v2/token",service="mcr-test"`
if wwwAuth != want {
t.Fatalf("WWW-Authenticate: got %q, want %q", wwwAuth, want)
}
}
func TestRoutesTokenEndpoint(t *testing.T) {
t.Helper()
// The validator should never be called for /v2/token.
validator := &fakeValidator{claims: nil, err: auth.ErrUnauthorized}
loginClient := &fakeLoginClient{token: "tok-from-login", expiresIn: 1800}
router := NewRouter(validator, loginClient, "mcr-test")
req := httptest.NewRequest(http.MethodGet, "/v2/token", nil)
req.SetBasicAuth("bob", "password")
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusOK {
t.Fatalf("status: got %d, want %d", rec.Code, http.StatusOK)
}
var resp tokenResponse
if err := json.NewDecoder(rec.Body).Decode(&resp); err != nil {
t.Fatalf("decode response: %v", err)
}
if resp.Token != "tok-from-login" {
t.Fatalf("token: got %q, want %q", resp.Token, "tok-from-login")
}
if resp.ExpiresIn != 1800 {
t.Fatalf("expires_in: got %d, want %d", resp.ExpiresIn, 1800)
}
if resp.IssuedAt == "" {
t.Fatal("issued_at: expected non-empty RFC 3339 timestamp")
}
}
Reference in New Issue View Git Blame Copy Permalink