Kyle Isom
3314b7a618
Phase 2 — internal/storage/: Content-addressed blob storage with atomic writes via rename. BlobWriter stages data in uploads dir with running SHA-256 hash, commits by verifying digest then renaming to layers/sha256/<prefix>/<hex>. Reader provides Open, Stat, Delete, Exists with digest validation. Phase 3 — internal/auth/ + internal/server/: MCIAS client with Login and ValidateToken, 30s SHA-256-keyed cache with lazy eviction and injectable clock for testing. TLS 1.3 minimum with optional custom CA cert. Chi router with RequireAuth middleware (Bearer token extraction, WWW-Authenticate header, OCI error format), token endpoint (Basic auth → bearer exchange via MCIAS), and /v2/ version check handler. 52 tests passing (14 storage + 9 auth + 9 server + 20 existing). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
39 lines
966 B
Go
39 lines
966 B
Go
package storage
|
|
|
|
import (
|
|
"path/filepath"
|
|
"regexp"
|
|
)
|
|
|
|
var digestRe = regexp.MustCompile(`^sha256:[a-f0-9]{64}$`)
|
|
|
|
// Store manages blob storage on the local filesystem.
|
|
type Store struct {
|
|
layersPath string
|
|
uploadsPath string
|
|
}
|
|
|
|
// New creates a Store that will write final blobs under layersPath and
|
|
// stage in-progress uploads under uploadsPath.
|
|
func New(layersPath, uploadsPath string) *Store {
|
|
return &Store{
|
|
layersPath: layersPath,
|
|
uploadsPath: uploadsPath,
|
|
}
|
|
}
|
|
|
|
// validateDigest checks that digest matches sha256:<64 lowercase hex chars>.
|
|
func validateDigest(digest string) error {
|
|
if !digestRe.MatchString(digest) {
|
|
return ErrInvalidDigest
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// blobPath returns the filesystem path for a blob with the given digest.
|
|
// The layout is: <layersPath>/sha256/<first-2-hex>/<full-64-hex>
|
|
func (s *Store) blobPath(digest string) string {
|
|
hex := digest[len("sha256:"):]
|
|
return filepath.Join(s.layersPath, "sha256", hex[0:2], hex)
|
|
}
|