From 2a927e53590b12915058f8e92c1e4772a42e513e Mon Sep 17 00:00:00 2001 From: Kyle Isom Date: Thu, 26 Mar 2026 14:09:58 -0700 Subject: [PATCH] Migrate config to mcdsl: Load[T], env overrides, embedded types MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace local TOML loading with mcdsl/config.Load[Config] which adds METACRYPT_ environment variable overrides. ServerConfig and MCIASConfig now embed their mcdsl counterparts, extending with ExternalURL and ServiceToken respectively. DatabaseConfig and LogConfig replaced with mcdsl types directly. TOML structure is preserved — no config file changes needed. Co-Authored-By: Claude Opus 4.6 (1M context) --- go.mod | 2 +- internal/config/config.go | 93 +++++++++++++--------------------- internal/config/config_test.go | 32 ++++++++++++ internal/server/server_test.go | 15 ++++-- 4 files changed, 79 insertions(+), 63 deletions(-) diff --git a/go.mod b/go.mod index 3c6e2c4..e48ed22 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,6 @@ require ( git.wntrmute.dev/kyle/goutils v1.21.0 git.wntrmute.dev/kyle/mcdsl v1.0.0 github.com/go-chi/chi/v5 v5.2.5 - github.com/pelletier/go-toml/v2 v2.3.0 github.com/spf13/cobra v1.10.2 github.com/spf13/viper v1.21.0 golang.org/x/crypto v0.49.0 @@ -23,6 +22,7 @@ require ( github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/ncruces/go-strftime v1.0.0 // indirect + github.com/pelletier/go-toml/v2 v2.3.0 // indirect github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect github.com/sagikazarmark/locafero v0.11.0 // indirect github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect diff --git a/internal/config/config.go b/internal/config/config.go index 5c98c1d..b9e70f7 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -3,9 +3,9 @@ package config import ( "fmt" - "os" - "github.com/pelletier/go-toml/v2" + mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth" + mcdslconfig "git.wntrmute.dev/kyle/mcdsl/config" ) // Config is the top-level configuration for Metacrypt. @@ -13,29 +13,24 @@ type Config struct { Server ServerConfig `toml:"server"` Web WebConfig `toml:"web"` MCIAS MCIASConfig `toml:"mcias"` - Database DatabaseConfig `toml:"database"` - Log LogConfig `toml:"log"` + Database mcdslconfig.DatabaseConfig `toml:"database"` + Log mcdslconfig.LogConfig `toml:"log"` Seal SealConfig `toml:"seal"` Audit AuditConfig `toml:"audit"` } -// AuditConfig holds audit logging settings. -type AuditConfig struct { - // Mode controls audit log output: "file", "stdout", or "" (disabled). - Mode string `toml:"mode"` - // Path is the audit log file path (required when mode is "file"). - Path string `toml:"path"` - // IncludeReads enables audit logging for read-only operations. - IncludeReads bool `toml:"include_reads"` +// ServerConfig holds HTTP/gRPC server settings. It embeds the standard +// mcdsl server config and adds the ACME external URL. +type ServerConfig struct { + mcdslconfig.ServerConfig + ExternalURL string `toml:"external_url"` // public base URL for ACME directory } -// ServerConfig holds HTTP/gRPC server settings. -type ServerConfig struct { - ListenAddr string `toml:"listen_addr"` - GRPCAddr string `toml:"grpc_addr"` - TLSCert string `toml:"tls_cert"` - TLSKey string `toml:"tls_key"` - ExternalURL string `toml:"external_url"` // public base URL for ACME directory, e.g. "https://metacrypt.example.com" +// MCIASConfig holds MCIAS integration settings. It embeds the standard +// mcdsl auth config and adds the service token for web UI login. +type MCIASConfig struct { + mcdslauth.Config + ServiceToken string `toml:"service_token"` } // WebConfig holds settings for the standalone web UI server (metacrypt-web). @@ -56,16 +51,14 @@ type WebConfig struct { TLSKey string `toml:"tls_key"` } -// DatabaseConfig holds SQLite database settings. -type DatabaseConfig struct { +// AuditConfig holds audit logging settings. +type AuditConfig struct { + // Mode controls audit log output: "file", "stdout", or "" (disabled). + Mode string `toml:"mode"` + // Path is the audit log file path (required when mode is "file"). Path string `toml:"path"` -} - -// MCIASConfig holds MCIAS integration settings. -type MCIASConfig struct { - ServerURL string `toml:"server_url"` - CACert string `toml:"ca_cert"` - ServiceToken string `toml:"service_token"` + // IncludeReads enables audit logging for read-only operations. + IncludeReads bool `toml:"include_reads"` } // SealConfig holds Argon2id parameters for the seal process. @@ -75,46 +68,31 @@ type SealConfig struct { Argon2Threads uint8 `toml:"argon2_threads"` } -// LogConfig holds logging settings. -type LogConfig struct { - Level string `toml:"level"` -} - -// Load reads and parses a TOML config file. +// Load reads and parses a TOML config file with METACRYPT_ env var overrides. func Load(path string) (*Config, error) { - data, err := os.ReadFile(path) //nolint:gosec - if err != nil { - return nil, fmt.Errorf("config: read file: %w", err) - } - var cfg Config - if err := toml.Unmarshal(data, &cfg); err != nil { - return nil, fmt.Errorf("config: parse: %w", err) - } - if err := cfg.Validate(); err != nil { - return nil, err - } - return &cfg, nil + return mcdslconfig.Load[Config](path, "METACRYPT") } -// Validate checks required fields and applies defaults. +// Validate implements mcdslconfig.Validator for metacrypt-specific rules. func (c *Config) Validate() error { + // Required fields. if c.Server.ListenAddr == "" { - return fmt.Errorf("config: server.listen_addr is required") + return fmt.Errorf("server.listen_addr is required") } if c.Server.TLSCert == "" { - return fmt.Errorf("config: server.tls_cert is required") + return fmt.Errorf("server.tls_cert is required") } if c.Server.TLSKey == "" { - return fmt.Errorf("config: server.tls_key is required") + return fmt.Errorf("server.tls_key is required") } if c.Database.Path == "" { - return fmt.Errorf("config: database.path is required") + return fmt.Errorf("database.path is required") } if c.MCIAS.ServerURL == "" { - return fmt.Errorf("config: mcias.server_url is required") + return fmt.Errorf("mcias.server_url is required") } - // Apply defaults for seal parameters. + // Seal defaults. if c.Seal.Argon2Time == 0 { c.Seal.Argon2Time = 3 } @@ -125,25 +103,26 @@ func (c *Config) Validate() error { c.Seal.Argon2Threads = 4 } + // Log default. if c.Log.Level == "" { c.Log.Level = "info" } - // Apply defaults for web server. + // Web default. if c.Web.ListenAddr == "" { c.Web.ListenAddr = "127.0.0.1:8080" } - // Validate audit config. + // Audit validation. switch c.Audit.Mode { case "", "stdout": // ok case "file": if c.Audit.Path == "" { - return fmt.Errorf("config: audit.path is required when audit.mode is \"file\"") + return fmt.Errorf("audit.path is required when audit.mode is \"file\"") } default: - return fmt.Errorf("config: audit.mode must be \"file\", \"stdout\", or empty") + return fmt.Errorf("audit.mode must be \"file\", \"stdout\", or empty") } return nil diff --git a/internal/config/config_test.go b/internal/config/config_test.go index 0c1dde5..b0dc61d 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -41,6 +41,38 @@ server_url = "https://mcias.example.com" } } +func TestLoadEnvOverride(t *testing.T) { + content := ` +[server] +listen_addr = ":8443" +tls_cert = "cert.pem" +tls_key = "key.pem" + +[database] +path = "test.db" + +[mcias] +server_url = "https://mcias.example.com" +` + dir := t.TempDir() + path := filepath.Join(dir, "test.toml") + _ = os.WriteFile(path, []byte(content), 0600) + + t.Setenv("METACRYPT_SERVER_LISTEN_ADDR", ":9999") + t.Setenv("METACRYPT_MCIAS_SERVER_URL", "https://override.example.com") + + cfg, err := Load(path) + if err != nil { + t.Fatalf("Load: %v", err) + } + if cfg.Server.ListenAddr != ":9999" { + t.Errorf("ListenAddr env override: got %q, want %q", cfg.Server.ListenAddr, ":9999") + } + if cfg.MCIAS.ServerURL != "https://override.example.com" { + t.Errorf("ServerURL env override: got %q", cfg.MCIAS.ServerURL) + } +} + func TestLoadMissingRequired(t *testing.T) { content := ` [server] diff --git a/internal/server/server_test.go b/internal/server/server_test.go index abf7b28..0476be2 100644 --- a/internal/server/server_test.go +++ b/internal/server/server_test.go @@ -16,6 +16,9 @@ import ( "git.wntrmute.dev/kyle/metacrypt/internal/barrier" "git.wntrmute.dev/kyle/metacrypt/internal/config" "git.wntrmute.dev/kyle/metacrypt/internal/crypto" + + mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth" + mcdslconfig "git.wntrmute.dev/kyle/mcdsl/config" "git.wntrmute.dev/kyle/metacrypt/internal/db" "git.wntrmute.dev/kyle/metacrypt/internal/engine" "git.wntrmute.dev/kyle/metacrypt/internal/policy" @@ -46,12 +49,14 @@ func setupTestServer(t *testing.T) (*Server, *seal.Manager, chi.Router) { cfg := &config.Config{ Server: config.ServerConfig{ - ListenAddr: ":0", - TLSCert: "cert.pem", - TLSKey: "key.pem", + ServerConfig: mcdslconfig.ServerConfig{ + ListenAddr: ":0", + TLSCert: "cert.pem", + TLSKey: "key.pem", + }, }, - Database: config.DatabaseConfig{Path: filepath.Join(dir, "test.db")}, - MCIAS: config.MCIASConfig{ServerURL: "https://mcias.test"}, + Database: mcdslconfig.DatabaseConfig{Path: filepath.Join(dir, "test.db")}, + MCIAS: config.MCIASConfig{Config: mcdslauth.Config{ServerURL: "https://mcias.test"}}, Seal: config.SealConfig{ Argon2Time: 1, Argon2Memory: 64 * 1024,