Kyle Isom
758aa91bfc
Replace MCR's custom auth, admin, and logging interceptors with the shared mcdsl grpcserver package. This eliminates ~110 lines of interceptor code and uses the same method-map auth pattern used by metacrypt. Key changes: - server.go: delegate to mcdslgrpc.New() for TLS, logging, and auth - interceptors.go: replaced with MethodMap definition (public, auth-required, admin-required) - Handler files: switch from auth.ClaimsFromContext to mcdslauth.TokenInfoFromContext - auth/client.go: add Authenticator() accessor for the underlying mcdsl authenticator - Tests: use mock MCIAS HTTP server instead of fakeValidator interface - Vendor: add mcdsl/grpcserver to vendor directory ListRepositories and GetRepository are now explicitly auth-required (not admin-required), matching the REST API. Previously they were implicitly auth-required by not being in the bypass or admin maps. Security: method map uses default-deny -- unmapped RPCs are rejected. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
72 lines
2.0 KiB
Go
72 lines
2.0 KiB
Go
package auth
|
|
|
|
import (
|
|
"errors"
|
|
"log/slog"
|
|
|
|
mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
|
|
)
|
|
|
|
// Client communicates with an MCIAS server for authentication and token
|
|
// validation. It delegates to mcdsl/auth.Authenticator and adapts the
|
|
// results to MCR's Claims type (which includes AccountType for the policy
|
|
// engine).
|
|
type Client struct {
|
|
auth *mcdslauth.Authenticator
|
|
}
|
|
|
|
// Authenticator returns the underlying mcdsl/auth.Authenticator. This is
|
|
// used by the gRPC server which delegates auth to the mcdsl grpcserver
|
|
// package.
|
|
func (c *Client) Authenticator() *mcdslauth.Authenticator {
|
|
return c.auth
|
|
}
|
|
|
|
// NewClient creates an auth Client that talks to the MCIAS server at
|
|
// serverURL. If caCert is non-empty, it is used as a custom CA cert.
|
|
// TLS 1.3 is required for all HTTPS connections.
|
|
func NewClient(serverURL, caCert, serviceName string, tags []string) (*Client, error) {
|
|
a, err := mcdslauth.New(mcdslauth.Config{
|
|
ServerURL: serverURL,
|
|
CACert: caCert,
|
|
ServiceName: serviceName,
|
|
Tags: tags,
|
|
}, slog.Default())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &Client{auth: a}, nil
|
|
}
|
|
|
|
// Login authenticates a user against MCIAS and returns a bearer token.
|
|
func (c *Client) Login(username, password string) (token string, expiresIn int, err error) {
|
|
tok, _, loginErr := c.auth.Login(username, password, "")
|
|
if loginErr != nil {
|
|
if errors.Is(loginErr, mcdslauth.ErrForbidden) {
|
|
return "", 0, ErrForbidden
|
|
}
|
|
if errors.Is(loginErr, mcdslauth.ErrInvalidCredentials) {
|
|
return "", 0, ErrUnauthorized
|
|
}
|
|
return "", 0, loginErr
|
|
}
|
|
return tok, 0, nil
|
|
}
|
|
|
|
// ValidateToken checks a bearer token against MCIAS. Results are cached
|
|
// by SHA-256 hash for 30 seconds (handled by mcdsl/auth).
|
|
func (c *Client) ValidateToken(token string) (*Claims, error) {
|
|
info, err := c.auth.ValidateToken(token)
|
|
if err != nil {
|
|
if errors.Is(err, mcdslauth.ErrInvalidToken) {
|
|
return nil, ErrUnauthorized
|
|
}
|
|
return nil, ErrMCIASUnavailable
|
|
}
|
|
return &Claims{
|
|
Subject: info.Username,
|
|
AccountType: info.AccountType,
|
|
Roles: info.Roles,
|
|
}, nil
|
|
}
|