mc/mcr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
3314b7a61887b79e2e4bb1ed20510d1387e87348
mcr/internal/auth/client.go
Kyle Isom 3314b7a618 Batch A: blob storage layer, MCIAS auth, OCI token endpoint 
Phase 2 — internal/storage/:
Content-addressed blob storage with atomic writes via rename.
BlobWriter stages data in uploads dir with running SHA-256 hash,
commits by verifying digest then renaming to layers/sha256/<prefix>/<hex>.
Reader provides Open, Stat, Delete, Exists with digest validation.

Phase 3 — internal/auth/ + internal/server/:
MCIAS client with Login and ValidateToken, 30s SHA-256-keyed cache
with lazy eviction and injectable clock for testing. TLS 1.3 minimum
with optional custom CA cert.
Chi router with RequireAuth middleware (Bearer token extraction,
WWW-Authenticate header, OCI error format), token endpoint (Basic
auth → bearer exchange via MCIAS), and /v2/ version check handler.

52 tests passing (14 storage + 9 auth + 9 server + 20 existing).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 14:51:19 -07:00

180 lines
4.6 KiB
Go
Raw Blame History

package auth
import (
"bytes"
"crypto/sha256"
"crypto/tls"
"crypto/x509"
"encoding/hex"
"encoding/json"
"fmt"
"net/http"
"os"
"strings"
"time"
)
const cacheTTL = 30 * time.Second
// Client communicates with an MCIAS server for authentication and token
// validation. It caches successful validation results for 30 seconds.
type Client struct {
httpClient *http.Client
baseURL string
serviceName string
tags []string
cache *validationCache
}
// NewClient creates an auth Client that talks to the MCIAS server at
// serverURL. If caCert is non-empty, it is loaded as a PEM file and
// used as the only trusted root CA. TLS 1.3 is required for all HTTPS
// connections.
//
// For plain HTTP URLs (used in tests), TLS configuration is skipped.
func NewClient(serverURL, caCert, serviceName string, tags []string) (*Client, error) {
transport := &http.Transport{}
if !strings.HasPrefix(serverURL, "http://") {
tlsCfg := &tls.Config{
MinVersion: tls.VersionTLS13,
}
if caCert != "" {
pem, err := os.ReadFile(caCert) //nolint:gosec // CA cert path is operator-supplied
if err != nil {
return nil, fmt.Errorf("auth: read CA cert %s: %w", caCert, err)
}
pool := x509.NewCertPool()
if !pool.AppendCertsFromPEM(pem) {
return nil, fmt.Errorf("auth: no valid certificates in %s", caCert)
}
tlsCfg.RootCAs = pool
}
transport.TLSClientConfig = tlsCfg
}
return &Client{
httpClient: &http.Client{
Transport: transport,
Timeout: 10 * time.Second,
},
baseURL: strings.TrimRight(serverURL, "/"),
serviceName: serviceName,
tags: tags,
cache: newCache(cacheTTL),
}, nil
}
// loginRequest is the JSON body sent to MCIAS /v1/auth/login.
type loginRequest struct {
Username string `json:"username"`
Password string `json:"password"`
ServiceName string `json:"service_name"`
Tags []string `json:"tags,omitempty"`
}
// loginResponse is the JSON body returned by MCIAS /v1/auth/login.
type loginResponse struct {
Token string `json:"token"`
ExpiresIn int `json:"expires_in"`
}
// Login authenticates a user against MCIAS and returns a bearer token.
func (c *Client) Login(username, password string) (token string, expiresIn int, err error) {
body, err := json.Marshal(loginRequest{ //nolint:gosec // G117: password is intentionally sent to MCIAS for authentication
Username: username,
Password: password,
ServiceName: c.serviceName,
Tags: c.tags,
})
if err != nil {
return "", 0, fmt.Errorf("auth: marshal login request: %w", err)
}
resp, err := c.httpClient.Post(
c.baseURL+"/v1/auth/login",
"application/json",
bytes.NewReader(body),
)
if err != nil {
return "", 0, fmt.Errorf("auth: MCIAS login: %w", ErrMCIASUnavailable)
}
defer func() { _ = resp.Body.Close() }()
if resp.StatusCode != http.StatusOK {
return "", 0, ErrUnauthorized
}
var lr loginResponse
if err := json.NewDecoder(resp.Body).Decode(&lr); err != nil {
return "", 0, fmt.Errorf("auth: decode login response: %w", err)
}
return lr.Token, lr.ExpiresIn, nil
}
// validateRequest is the JSON body sent to MCIAS /v1/token/validate.
type validateRequest struct {
Token string `json:"token"`
}
// validateResponse is the JSON body returned by MCIAS /v1/token/validate.
type validateResponse struct {
Valid bool `json:"valid"`
Claims struct {
Subject string `json:"subject"`
AccountType string `json:"account_type"`
Roles []string `json:"roles"`
} `json:"claims"`
}
// ValidateToken checks a bearer token against MCIAS. Results are cached
// by SHA-256 hash for 30 seconds.
func (c *Client) ValidateToken(token string) (*Claims, error) {
h := sha256.Sum256([]byte(token))
tokenHash := hex.EncodeToString(h[:])
if claims, ok := c.cache.get(tokenHash); ok {
return claims, nil
}
body, err := json.Marshal(validateRequest{Token: token})
if err != nil {
return nil, fmt.Errorf("auth: marshal validate request: %w", err)
}
resp, err := c.httpClient.Post(
c.baseURL+"/v1/token/validate",
"application/json",
bytes.NewReader(body),
)
if err != nil {
return nil, fmt.Errorf("auth: MCIAS validate: %w", ErrMCIASUnavailable)
}
defer func() { _ = resp.Body.Close() }()
if resp.StatusCode != http.StatusOK {
return nil, ErrUnauthorized
}
var vr validateResponse
if err := json.NewDecoder(resp.Body).Decode(&vr); err != nil {
return nil, fmt.Errorf("auth: decode validate response: %w", err)
}
if !vr.Valid {
return nil, ErrUnauthorized
}
claims := &Claims{
Subject: vr.Claims.Subject,
AccountType: vr.Claims.AccountType,
Roles: vr.Claims.Roles,
}
c.cache.put(tokenHash, claims)
return claims, nil
}
Reference in New Issue View Git Blame Copy Permalink