comparing main and refactor on evan.jarrett.net/at-container-registry

+18 -40

cmd/appview/serve.go

··· 150 middleware.SetGlobalRefresher(refresher) 151 152 // Set global database for pull/push metrics tracking 153 - metricsDB := db.NewMetricsDB(uiDatabase) 154 - middleware.SetGlobalDatabase(metricsDB) 155 156 // Create RemoteHoldAuthorizer for hold authorization with caching 157 holdAuthorizer := auth.NewRemoteHoldAuthorizer(uiDatabase, testMode) ··· 191 HealthChecker: healthChecker, 192 ReadmeFetcher: readmeFetcher, 193 Templates: uiTemplates, 194 }) 195 } 196 } ··· 212 // Create ATProto client with session provider (uses DoWithSession for DPoP nonce safety) 213 client := atproto.NewClientWithSessionProvider(pdsEndpoint, did, refresher) 214 215 - // Ensure sailor profile exists (creates with default hold if configured) 216 - slog.Debug("Ensuring profile exists", "component", "appview/callback", "did", did, "default_hold_did", defaultHoldDID) 217 - if err := storage.EnsureProfile(ctx, client, defaultHoldDID); err != nil { 218 - slog.Warn("Failed to ensure profile", "component", "appview/callback", "did", did, "error", err) 219 - // Continue anyway - profile creation is not critical for avatar fetch 220 - } else { 221 - slog.Debug("Profile ensured", "component", "appview/callback", "did", did) 222 - } 223 224 // Fetch user's profile record from PDS (contains blob references) 225 profileRecord, err := client.GetProfileRecord(ctx, did) ··· 270 return nil // Non-fatal 271 } 272 273 - var holdDID string 274 if profile != nil && profile.DefaultHold != "" { 275 // Check if defaultHold is a URL (needs migration) 276 if strings.HasPrefix(profile.DefaultHold, "http://") || strings.HasPrefix(profile.DefaultHold, "https://") { ··· 286 } else { 287 slog.Debug("Updated profile with hold DID", "component", "appview/callback", "hold_did", holdDID) 288 } 289 - } else { 290 - // Already a DID - use it 291 - holdDID = profile.DefaultHold 292 } 293 - // Register crew regardless of migration (outside the migration block) 294 - // Run in background to avoid blocking OAuth callback if hold is offline 295 - // Use background context - don't inherit request context which gets canceled on response 296 - slog.Debug("Attempting crew registration", "component", "appview/callback", "did", did, "hold_did", holdDID) 297 - go func(client *atproto.Client, refresher *oauth.Refresher, holdDID string) { 298 - ctx := context.Background() 299 - storage.EnsureCrewMembership(ctx, client, refresher, holdDID) 300 - }(client, refresher, holdDID) 301 - 302 } 303 304 return nil // All errors are non-fatal, logged for debugging ··· 320 ctx := context.Background() 321 app := handlers.NewApp(ctx, cfg.Distribution) 322 323 - // Wrap registry app with auth method extraction middleware 324 - // This extracts the auth method from the JWT and stores it in the request context 325 wrappedApp := middleware.ExtractAuthMethod(app) 326 327 // Mount registry at /v2/ 328 mainRouter.Handle("/v2/*", wrappedApp) 329 ··· 412 // Prevents the flood of errors when a stale session is discovered during push 413 tokenHandler.SetOAuthSessionValidator(refresher) 414 415 - // Register token post-auth callback for profile management 416 - // This decouples the token package from AppView-specific dependencies 417 tokenHandler.SetPostAuthCallback(func(ctx context.Context, did, handle, pdsEndpoint, accessToken string) error { 418 slog.Debug("Token post-auth callback", "component", "appview/callback", "did", did) 419 - 420 - // Create ATProto client with validated token 421 - atprotoClient := atproto.NewClient(pdsEndpoint, did, accessToken) 422 - 423 - // Ensure profile exists (will create with default hold if not exists and default is configured) 424 - if err := storage.EnsureProfile(ctx, atprotoClient, defaultHoldDID); err != nil { 425 - // Log error but don't fail auth - profile management is not critical 426 - slog.Warn("Failed to ensure profile", "component", "appview/callback", "did", did, "error", err) 427 - } else { 428 - slog.Debug("Profile ensured with default hold", "component", "appview/callback", "did", did, "default_hold_did", defaultHoldDID) 429 - } 430 - 431 - return nil // All errors are non-fatal 432 }) 433 434 mainRouter.Get("/auth/token", tokenHandler.ServeHTTP)

··· 150 middleware.SetGlobalRefresher(refresher) 151 152 // Set global database for pull/push metrics tracking 153 + middleware.SetGlobalDatabase(uiDatabase) 154 155 // Create RemoteHoldAuthorizer for hold authorization with caching 156 holdAuthorizer := auth.NewRemoteHoldAuthorizer(uiDatabase, testMode) ··· 190 HealthChecker: healthChecker, 191 ReadmeFetcher: readmeFetcher, 192 Templates: uiTemplates, 193 + DefaultHoldDID: defaultHoldDID, 194 }) 195 } 196 } ··· 212 // Create ATProto client with session provider (uses DoWithSession for DPoP nonce safety) 213 client := atproto.NewClientWithSessionProvider(pdsEndpoint, did, refresher) 214 215 + // Note: Profile and crew setup now happen automatically via UserContext.EnsureUserSetup() 216 217 // Fetch user's profile record from PDS (contains blob references) 218 profileRecord, err := client.GetProfileRecord(ctx, did) ··· 263 return nil // Non-fatal 264 } 265 266 + // Migrate profile URL→DID if needed (legacy migration, crew registration now handled by UserContext) 267 if profile != nil && profile.DefaultHold != "" { 268 // Check if defaultHold is a URL (needs migration) 269 if strings.HasPrefix(profile.DefaultHold, "http://") || strings.HasPrefix(profile.DefaultHold, "https://") { ··· 279 } else { 280 slog.Debug("Updated profile with hold DID", "component", "appview/callback", "hold_did", holdDID) 281 } 282 } 283 } 284 285 return nil // All errors are non-fatal, logged for debugging ··· 301 ctx := context.Background() 302 app := handlers.NewApp(ctx, cfg.Distribution) 303 304 + // Wrap registry app with middleware chain: 305 + // 1. ExtractAuthMethod - extracts auth method from JWT and stores in context 306 + // 2. UserContextMiddleware - builds UserContext with identity, permissions, service tokens 307 wrappedApp := middleware.ExtractAuthMethod(app) 308 309 + // Create dependencies for UserContextMiddleware 310 + userContextDeps := &auth.Dependencies{ 311 + Refresher: refresher, 312 + Authorizer: holdAuthorizer, 313 + DefaultHoldDID: defaultHoldDID, 314 + } 315 + wrappedApp = middleware.UserContextMiddleware(userContextDeps)(wrappedApp) 316 + 317 // Mount registry at /v2/ 318 mainRouter.Handle("/v2/*", wrappedApp) 319 ··· 402 // Prevents the flood of errors when a stale session is discovered during push 403 tokenHandler.SetOAuthSessionValidator(refresher) 404 405 + // Register token post-auth callback 406 + // Note: Profile and crew setup now happen automatically via UserContext.EnsureUserSetup() 407 tokenHandler.SetPostAuthCallback(func(ctx context.Context, did, handle, pdsEndpoint, accessToken string) error { 408 slog.Debug("Token post-auth callback", "component", "appview/callback", "did", did) 409 + return nil 410 }) 411 412 mainRouter.Get("/auth/token", tokenHandler.ServeHTTP)

-25

pkg/appview/db/queries.go

··· 1634 return time.Time{}, fmt.Errorf("unable to parse timestamp: %s", s) 1635 } 1636 1637 - // MetricsDB wraps a sql.DB and implements the metrics interface for middleware 1638 - type MetricsDB struct { 1639 - db *sql.DB 1640 - } 1641 - 1642 - // NewMetricsDB creates a new metrics database wrapper 1643 - func NewMetricsDB(db *sql.DB) *MetricsDB { 1644 - return &MetricsDB{db: db} 1645 - } 1646 - 1647 - // IncrementPullCount increments the pull count for a repository 1648 - func (m *MetricsDB) IncrementPullCount(did, repository string) error { 1649 - return IncrementPullCount(m.db, did, repository) 1650 - } 1651 - 1652 - // IncrementPushCount increments the push count for a repository 1653 - func (m *MetricsDB) IncrementPushCount(did, repository string) error { 1654 - return IncrementPushCount(m.db, did, repository) 1655 - } 1656 - 1657 - // GetLatestHoldDIDForRepo returns the hold DID from the most recent manifest for a repository 1658 - func (m *MetricsDB) GetLatestHoldDIDForRepo(did, repository string) (string, error) { 1659 - return GetLatestHoldDIDForRepo(m.db, did, repository) 1660 - } 1661 - 1662 // GetFeaturedRepositories fetches top repositories sorted by stars and pulls 1663 func GetFeaturedRepositories(db *sql.DB, limit int, currentUserDID string) ([]FeaturedRepository, error) { 1664 query := `

··· 1634 return time.Time{}, fmt.Errorf("unable to parse timestamp: %s", s) 1635 } 1636 1637 // GetFeaturedRepositories fetches top repositories sorted by stars and pulls 1638 func GetFeaturedRepositories(db *sql.DB, limit int, currentUserDID string) ([]FeaturedRepository, error) { 1639 query := `

+59 -6

pkg/appview/middleware/auth.go

··· 11 "net/url" 12 13 "atcr.io/pkg/appview/db" 14 ) 15 16 type contextKey string 17 18 const userKey contextKey = "user" 19 20 // RequireAuth is middleware that requires authentication 21 func RequireAuth(store *db.SessionStore, database *sql.DB) func(http.Handler) http.Handler { 22 return func(next http.Handler) http.Handler { 23 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 24 sessionID, ok := getSessionID(r) ··· 32 return 33 } 34 35 - sess, ok := store.Get(sessionID) 36 if !ok { 37 // Build return URL with query parameters preserved 38 returnTo := r.URL.Path ··· 44 } 45 46 // Look up full user from database to get avatar 47 - user, err := db.GetUserByDID(database, sess.DID) 48 if err != nil || user == nil { 49 // Fallback to session data if DB lookup fails 50 user = &db.User{ ··· 54 } 55 } 56 57 - ctx := context.WithValue(r.Context(), userKey, user) 58 next.ServeHTTP(w, r.WithContext(ctx)) 59 }) 60 } ··· 62 63 // OptionalAuth is middleware that optionally includes user if authenticated 64 func OptionalAuth(store *db.SessionStore, database *sql.DB) func(http.Handler) http.Handler { 65 return func(next http.Handler) http.Handler { 66 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 67 sessionID, ok := getSessionID(r) 68 if ok { 69 - if sess, ok := store.Get(sessionID); ok { 70 // Look up full user from database to get avatar 71 - user, err := db.GetUserByDID(database, sess.DID) 72 if err != nil || user == nil { 73 // Fallback to session data if DB lookup fails 74 user = &db.User{ ··· 77 PDSEndpoint: sess.PDSEndpoint, 78 } 79 } 80 - ctx := context.WithValue(r.Context(), userKey, user) 81 r = r.WithContext(ctx) 82 } 83 }

··· 11 "net/url" 12 13 "atcr.io/pkg/appview/db" 14 + "atcr.io/pkg/auth" 15 + "atcr.io/pkg/auth/oauth" 16 ) 17 18 type contextKey string 19 20 const userKey contextKey = "user" 21 22 + // WebAuthDeps contains dependencies for web auth middleware 23 + type WebAuthDeps struct { 24 + SessionStore *db.SessionStore 25 + Database *sql.DB 26 + Refresher *oauth.Refresher 27 + DefaultHoldDID string 28 + } 29 + 30 // RequireAuth is middleware that requires authentication 31 func RequireAuth(store *db.SessionStore, database *sql.DB) func(http.Handler) http.Handler { 32 + return RequireAuthWithDeps(WebAuthDeps{ 33 + SessionStore: store, 34 + Database: database, 35 + }) 36 + } 37 + 38 + // RequireAuthWithDeps is middleware that requires authentication and creates UserContext 39 + func RequireAuthWithDeps(deps WebAuthDeps) func(http.Handler) http.Handler { 40 return func(next http.Handler) http.Handler { 41 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 42 sessionID, ok := getSessionID(r) ··· 50 return 51 } 52 53 + sess, ok := deps.SessionStore.Get(sessionID) 54 if !ok { 55 // Build return URL with query parameters preserved 56 returnTo := r.URL.Path ··· 62 } 63 64 // Look up full user from database to get avatar 65 + user, err := db.GetUserByDID(deps.Database, sess.DID) 66 if err != nil || user == nil { 67 // Fallback to session data if DB lookup fails 68 user = &db.User{ ··· 72 } 73 } 74 75 + ctx := r.Context() 76 + ctx = context.WithValue(ctx, userKey, user) 77 + 78 + // Create UserContext for authenticated users (enables EnsureUserSetup) 79 + if deps.Refresher != nil { 80 + userCtx := auth.NewUserContext(sess.DID, auth.AuthMethodOAuth, r.Method, &auth.Dependencies{ 81 + Refresher: deps.Refresher, 82 + DefaultHoldDID: deps.DefaultHoldDID, 83 + }) 84 + userCtx.SetPDS(sess.Handle, sess.PDSEndpoint) 85 + userCtx.EnsureUserSetup() 86 + ctx = auth.WithUserContext(ctx, userCtx) 87 + } 88 + 89 next.ServeHTTP(w, r.WithContext(ctx)) 90 }) 91 } ··· 93 94 // OptionalAuth is middleware that optionally includes user if authenticated 95 func OptionalAuth(store *db.SessionStore, database *sql.DB) func(http.Handler) http.Handler { 96 + return OptionalAuthWithDeps(WebAuthDeps{ 97 + SessionStore: store, 98 + Database: database, 99 + }) 100 + } 101 + 102 + // OptionalAuthWithDeps is middleware that optionally includes user and UserContext if authenticated 103 + func OptionalAuthWithDeps(deps WebAuthDeps) func(http.Handler) http.Handler { 104 return func(next http.Handler) http.Handler { 105 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 106 sessionID, ok := getSessionID(r) 107 if ok { 108 + if sess, ok := deps.SessionStore.Get(sessionID); ok { 109 // Look up full user from database to get avatar 110 + user, err := db.GetUserByDID(deps.Database, sess.DID) 111 if err != nil || user == nil { 112 // Fallback to session data if DB lookup fails 113 user = &db.User{ ··· 116 PDSEndpoint: sess.PDSEndpoint, 117 } 118 } 119 + 120 + ctx := r.Context() 121 + ctx = context.WithValue(ctx, userKey, user) 122 + 123 + // Create UserContext for authenticated users (enables EnsureUserSetup) 124 + if deps.Refresher != nil { 125 + userCtx := auth.NewUserContext(sess.DID, auth.AuthMethodOAuth, r.Method, &auth.Dependencies{ 126 + Refresher: deps.Refresher, 127 + DefaultHoldDID: deps.DefaultHoldDID, 128 + }) 129 + userCtx.SetPDS(sess.Handle, sess.PDSEndpoint) 130 + userCtx.EnsureUserSetup() 131 + ctx = auth.WithUserContext(ctx, userCtx) 132 + } 133 + 134 r = r.WithContext(ctx) 135 } 136 }

+76 -319

pkg/appview/middleware/registry.go

··· 2 3 import ( 4 "context" 5 "fmt" 6 "log/slog" 7 "net/http" 8 "strings" 9 - "sync" 10 - "time" 11 12 "github.com/distribution/distribution/v3" 13 - "github.com/distribution/distribution/v3/registry/api/errcode" 14 registrymw "github.com/distribution/distribution/v3/registry/middleware/registry" 15 "github.com/distribution/distribution/v3/registry/storage/driver" 16 "github.com/distribution/reference" 17 18 - "atcr.io/pkg/appview/readme" 19 "atcr.io/pkg/appview/storage" 20 "atcr.io/pkg/atproto" 21 "atcr.io/pkg/auth" ··· 32 // pullerDIDKey is the context key for storing the authenticated user's DID from JWT 33 const pullerDIDKey contextKey = "puller.did" 34 35 - // validationCacheEntry stores a validated service token with expiration 36 - type validationCacheEntry struct { 37 - serviceToken string 38 - validUntil time.Time 39 - err error // Cached error for fast-fail 40 - mu sync.Mutex // Per-entry lock to serialize cache population 41 - inFlight bool // True if another goroutine is fetching the token 42 - done chan struct{} // Closed when fetch completes 43 - } 44 - 45 - // validationCache provides request-level caching for service tokens 46 - // This prevents concurrent layer uploads from racing on OAuth/DPoP requests 47 - type validationCache struct { 48 - mu sync.RWMutex 49 - entries map[string]*validationCacheEntry // key: "did:holdDID" 50 - } 51 - 52 - // newValidationCache creates a new validation cache 53 - func newValidationCache() *validationCache { 54 - return &validationCache{ 55 - entries: make(map[string]*validationCacheEntry), 56 - } 57 - } 58 - 59 - // getOrFetch retrieves a service token from cache or fetches it 60 - // Multiple concurrent requests for the same DID:holdDID will share the fetch operation 61 - func (vc *validationCache) getOrFetch(ctx context.Context, cacheKey string, fetchFunc func() (string, error)) (string, error) { 62 - // Fast path: check cache with read lock 63 - vc.mu.RLock() 64 - entry, exists := vc.entries[cacheKey] 65 - vc.mu.RUnlock() 66 - 67 - if exists { 68 - // Entry exists, check if it's still valid 69 - entry.mu.Lock() 70 - 71 - // If another goroutine is fetching, wait for it 72 - if entry.inFlight { 73 - done := entry.done 74 - entry.mu.Unlock() 75 - 76 - select { 77 - case <-done: 78 - // Fetch completed, check result 79 - entry.mu.Lock() 80 - defer entry.mu.Unlock() 81 - 82 - if entry.err != nil { 83 - return "", entry.err 84 - } 85 - if time.Now().Before(entry.validUntil) { 86 - return entry.serviceToken, nil 87 - } 88 - // Fall through to refetch 89 - case <-ctx.Done(): 90 - return "", ctx.Err() 91 - } 92 - } else { 93 - // Check if cached token is still valid 94 - if entry.err != nil && time.Now().Before(entry.validUntil) { 95 - // Return cached error (fast-fail) 96 - entry.mu.Unlock() 97 - return "", entry.err 98 - } 99 - if entry.err == nil && time.Now().Before(entry.validUntil) { 100 - // Return cached token 101 - token := entry.serviceToken 102 - entry.mu.Unlock() 103 - return token, nil 104 - } 105 - entry.mu.Unlock() 106 - } 107 - } 108 - 109 - // Slow path: need to fetch token 110 - vc.mu.Lock() 111 - entry, exists = vc.entries[cacheKey] 112 - if !exists { 113 - // Create new entry 114 - entry = &validationCacheEntry{ 115 - inFlight: true, 116 - done: make(chan struct{}), 117 - } 118 - vc.entries[cacheKey] = entry 119 - } 120 - vc.mu.Unlock() 121 - 122 - // Lock the entry to perform fetch 123 - entry.mu.Lock() 124 - 125 - // Double-check: another goroutine may have fetched while we waited 126 - if !entry.inFlight { 127 - if entry.err != nil && time.Now().Before(entry.validUntil) { 128 - err := entry.err 129 - entry.mu.Unlock() 130 - return "", err 131 - } 132 - if entry.err == nil && time.Now().Before(entry.validUntil) { 133 - token := entry.serviceToken 134 - entry.mu.Unlock() 135 - return token, nil 136 - } 137 - } 138 - 139 - // Mark as in-flight and create fresh done channel for this fetch 140 - // IMPORTANT: Always create a new channel - a closed channel is not nil 141 - entry.done = make(chan struct{}) 142 - entry.inFlight = true 143 - done := entry.done 144 - entry.mu.Unlock() 145 - 146 - // Perform the fetch (outside the lock to allow other operations) 147 - serviceToken, err := fetchFunc() 148 - 149 - // Update the entry with result 150 - entry.mu.Lock() 151 - entry.inFlight = false 152 - 153 - if err != nil { 154 - // Cache errors for 5 seconds (fast-fail for subsequent requests) 155 - entry.err = err 156 - entry.validUntil = time.Now().Add(5 * time.Second) 157 - entry.serviceToken = "" 158 - } else { 159 - // Cache token for 45 seconds (covers typical Docker push operation) 160 - entry.err = nil 161 - entry.serviceToken = serviceToken 162 - entry.validUntil = time.Now().Add(45 * time.Second) 163 - } 164 - 165 - // Signal completion to waiting goroutines 166 - close(done) 167 - entry.mu.Unlock() 168 - 169 - return serviceToken, err 170 - } 171 - 172 // Global variables for initialization only 173 // These are set by main.go during startup and copied into NamespaceResolver instances. 174 // After initialization, request handling uses the NamespaceResolver's instance fields. 175 var ( 176 globalRefresher *oauth.Refresher 177 - globalDatabase storage.DatabaseMetrics 178 globalAuthorizer auth.HoldAuthorizer 179 ) 180 ··· 186 187 // SetGlobalDatabase sets the database instance during initialization 188 // Must be called before the registry starts serving requests 189 - func SetGlobalDatabase(database storage.DatabaseMetrics) { 190 globalDatabase = database 191 } 192 ··· 204 // NamespaceResolver wraps a namespace and resolves names 205 type NamespaceResolver struct { 206 distribution.Namespace 207 - defaultHoldDID string // Default hold DID (e.g., "did:web:hold01.atcr.io") 208 - baseURL string // Base URL for error messages (e.g., "https://atcr.io") 209 - testMode bool // If true, fallback to default hold when user's hold is unreachable 210 - refresher *oauth.Refresher // OAuth session manager (copied from global on init) 211 - database storage.DatabaseMetrics // Metrics database (copied from global on init) 212 - authorizer auth.HoldAuthorizer // Hold authorization (copied from global on init) 213 - validationCache *validationCache // Request-level service token cache 214 - readmeFetcher *readme.Fetcher // README fetcher for repo pages 215 } 216 217 // initATProtoResolver initializes the name resolution middleware ··· 238 // Copy shared services from globals into the instance 239 // This avoids accessing globals during request handling 240 return &NamespaceResolver{ 241 - Namespace: ns, 242 - defaultHoldDID: defaultHoldDID, 243 - baseURL: baseURL, 244 - testMode: testMode, 245 - refresher: globalRefresher, 246 - database: globalDatabase, 247 - authorizer: globalAuthorizer, 248 - validationCache: newValidationCache(), 249 - readmeFetcher: readme.NewFetcher(), 250 }, nil 251 } 252 253 - // authErrorMessage creates a user-friendly auth error with login URL 254 - func (nr *NamespaceResolver) authErrorMessage(message string) error { 255 - loginURL := fmt.Sprintf("%s/auth/oauth/login", nr.baseURL) 256 - fullMessage := fmt.Sprintf("%s - please re-authenticate at %s", message, loginURL) 257 - return errcode.ErrorCodeUnauthorized.WithMessage(fullMessage) 258 - } 259 - 260 // Repository resolves the repository name and delegates to underlying namespace 261 // Handles names like: 262 // - atcr.io/alice/myimage → resolve alice to DID ··· 290 } 291 ctx = context.WithValue(ctx, holdDIDKey, holdDID) 292 293 - // Auto-reconcile crew membership on first push/pull 294 - // This ensures users can push immediately after docker login without web sign-in 295 - // EnsureCrewMembership is best-effort and logs errors without failing the request 296 - // Run in background to avoid blocking registry operations if hold is offline 297 - if holdDID != "" && nr.refresher != nil { 298 - slog.Debug("Auto-reconciling crew membership", "component", "registry/middleware", "did", did, "hold_did", holdDID) 299 - client := atproto.NewClient(pdsEndpoint, did, "") 300 - go func(ctx context.Context, client *atproto.Client, refresher *oauth.Refresher, holdDID string) { 301 - storage.EnsureCrewMembership(ctx, client, refresher, holdDID) 302 - }(ctx, client, nr.refresher, holdDID) 303 - } 304 - 305 - // Get service token for hold authentication (only if authenticated) 306 - // Use validation cache to prevent concurrent requests from racing on OAuth/DPoP 307 - // Route based on auth method from JWT token 308 - // IMPORTANT: Use PULLER's DID/PDS for service token, not owner's! 309 - // The puller (authenticated user) needs to authenticate to the hold service. 310 - var serviceToken string 311 - authMethod, _ := ctx.Value(authMethodKey).(string) 312 - pullerDID, _ := ctx.Value(pullerDIDKey).(string) 313 - var pullerPDSEndpoint string 314 - 315 - // Only fetch service token if user is authenticated 316 - // Unauthenticated requests (like /v2/ ping) should not trigger token fetching 317 - if authMethod != "" && pullerDID != "" { 318 - // Resolve puller's PDS endpoint for service token request 319 - _, _, pullerPDSEndpoint, err = atproto.ResolveIdentity(ctx, pullerDID) 320 - if err != nil { 321 - slog.Warn("Failed to resolve puller's PDS, falling back to anonymous access", 322 - "component", "registry/middleware", 323 - "pullerDID", pullerDID, 324 - "error", err) 325 - // Continue without service token - hold will decide if anonymous access is allowed 326 - } else { 327 - // Create cache key: "pullerDID:holdDID" 328 - cacheKey := fmt.Sprintf("%s:%s", pullerDID, holdDID) 329 - 330 - // Fetch service token through validation cache 331 - // This ensures only ONE request per pullerDID:holdDID pair fetches the token 332 - // Concurrent requests will wait for the first request to complete 333 - var fetchErr error 334 - serviceToken, fetchErr = nr.validationCache.getOrFetch(ctx, cacheKey, func() (string, error) { 335 - if authMethod == token.AuthMethodAppPassword { 336 - // App-password flow: use Bearer token authentication 337 - slog.Debug("Using app-password flow for service token", 338 - "component", "registry/middleware", 339 - "pullerDID", pullerDID, 340 - "cacheKey", cacheKey) 341 - 342 - token, err := auth.GetOrFetchServiceTokenWithAppPassword(ctx, pullerDID, holdDID, pullerPDSEndpoint) 343 - if err != nil { 344 - slog.Error("Failed to get service token with app-password", 345 - "component", "registry/middleware", 346 - "pullerDID", pullerDID, 347 - "holdDID", holdDID, 348 - "pullerPDSEndpoint", pullerPDSEndpoint, 349 - "error", err) 350 - return "", err 351 - } 352 - return token, nil 353 - } else if nr.refresher != nil { 354 - // OAuth flow: use DPoP authentication 355 - slog.Debug("Using OAuth flow for service token", 356 - "component", "registry/middleware", 357 - "pullerDID", pullerDID, 358 - "cacheKey", cacheKey) 359 - 360 - token, err := auth.GetOrFetchServiceToken(ctx, nr.refresher, pullerDID, holdDID, pullerPDSEndpoint) 361 - if err != nil { 362 - slog.Error("Failed to get service token with OAuth", 363 - "component", "registry/middleware", 364 - "pullerDID", pullerDID, 365 - "holdDID", holdDID, 366 - "pullerPDSEndpoint", pullerPDSEndpoint, 367 - "error", err) 368 - return "", err 369 - } 370 - return token, nil 371 - } 372 - return "", fmt.Errorf("no authentication method available") 373 - }) 374 - 375 - // Handle errors from cached fetch 376 - if fetchErr != nil { 377 - errMsg := fetchErr.Error() 378 - 379 - // Check for app-password specific errors 380 - if authMethod == token.AuthMethodAppPassword { 381 - if strings.Contains(errMsg, "expired or invalid") || strings.Contains(errMsg, "no app-password") { 382 - return nil, nr.authErrorMessage("App-password authentication failed. Please re-authenticate with: docker login") 383 - } 384 - } 385 - 386 - // Check for OAuth specific errors 387 - if strings.Contains(errMsg, "OAuth session") || strings.Contains(errMsg, "OAuth validation") { 388 - return nil, nr.authErrorMessage("OAuth session expired or invalidated by PDS. Your session has been cleared") 389 - } 390 - 391 - // Generic service token error 392 - return nil, nr.authErrorMessage(fmt.Sprintf("Failed to obtain storage credentials: %v", fetchErr)) 393 - } 394 - } 395 - } else { 396 - slog.Debug("Skipping service token fetch for unauthenticated request", 397 - "component", "registry/middleware", 398 - "ownerDID", did) 399 - } 400 401 // Create a new reference with identity/image format 402 // Use the identity (or DID) as the namespace to ensure canonical format ··· 413 return nil, err 414 } 415 416 - // Create ATProto client for manifest/tag operations 417 - // Pulls: ATProto records are public, no auth needed 418 - // Pushes: Need auth, but puller must be owner anyway 419 - var atprotoClient *atproto.Client 420 - 421 - if pullerDID == did { 422 - // Puller is owner - may need auth for pushes 423 - if authMethod == token.AuthMethodOAuth && nr.refresher != nil { 424 - atprotoClient = atproto.NewClientWithSessionProvider(pdsEndpoint, did, nr.refresher) 425 - } else if authMethod == token.AuthMethodAppPassword { 426 - accessToken, _ := auth.GetGlobalTokenCache().Get(did) 427 - atprotoClient = atproto.NewClient(pdsEndpoint, did, accessToken) 428 - } else { 429 - atprotoClient = atproto.NewClient(pdsEndpoint, did, "") 430 - } 431 - } else { 432 - // Puller != owner - reads only, no auth needed 433 - atprotoClient = atproto.NewClient(pdsEndpoint, did, "") 434 - } 435 - 436 // IMPORTANT: Use only the image name (not identity/image) for ATProto storage 437 // ATProto records are scoped to the user's DID, so we don't need the identity prefix 438 // Example: "evan.jarrett.net/debian" -> store as "debian" 439 repositoryName := imageName 440 441 - // Default auth method to OAuth if not already set (backward compatibility with old tokens) 442 - if authMethod == "" { 443 - authMethod = token.AuthMethodOAuth 444 } 445 446 // Create routing repository - routes manifests to ATProto, blobs to hold service 447 // The registry is stateless - no local storage is used 448 - // Bundle all context into a single RegistryContext struct 449 // 450 // NOTE: We create a fresh RoutingRepository on every request (no caching) because: 451 // 1. Each layer upload is a separate HTTP request (possibly different process) 452 // 2. OAuth sessions can be refreshed/invalidated between requests 453 // 3. The refresher already caches sessions efficiently (in-memory + DB) 454 - // 4. Caching the repository with a stale ATProtoClient causes refresh token errors 455 - registryCtx := &storage.RegistryContext{ 456 - DID: did, 457 - Handle: handle, 458 - HoldDID: holdDID, 459 - PDSEndpoint: pdsEndpoint, 460 - Repository: repositoryName, 461 - ServiceToken: serviceToken, // Cached service token from puller's PDS 462 - ATProtoClient: atprotoClient, 463 - AuthMethod: authMethod, // Auth method from JWT token 464 - PullerDID: pullerDID, // Authenticated user making the request 465 - PullerPDSEndpoint: pullerPDSEndpoint, // Puller's PDS for service token refresh 466 - Database: nr.database, 467 - Authorizer: nr.authorizer, 468 - Refresher: nr.refresher, 469 - ReadmeFetcher: nr.readmeFetcher, 470 - } 471 - 472 - return storage.NewRoutingRepository(repo, registryCtx), nil 473 } 474 475 // Repositories delegates to underlying namespace ··· 504 } 505 506 if profile != nil && profile.DefaultHold != "" { 507 - // Profile exists with defaultHold set 508 - // In test mode, verify it's reachable before using it 509 if nr.testMode { 510 if nr.isHoldReachable(ctx, profile.DefaultHold) { 511 return profile.DefaultHold ··· 584 next.ServeHTTP(w, r) 585 }) 586 }

··· 2 3 import ( 4 "context" 5 + "database/sql" 6 "fmt" 7 "log/slog" 8 "net/http" 9 "strings" 10 11 "github.com/distribution/distribution/v3" 12 registrymw "github.com/distribution/distribution/v3/registry/middleware/registry" 13 "github.com/distribution/distribution/v3/registry/storage/driver" 14 "github.com/distribution/reference" 15 16 "atcr.io/pkg/appview/storage" 17 "atcr.io/pkg/atproto" 18 "atcr.io/pkg/auth" ··· 29 // pullerDIDKey is the context key for storing the authenticated user's DID from JWT 30 const pullerDIDKey contextKey = "puller.did" 31 32 // Global variables for initialization only 33 // These are set by main.go during startup and copied into NamespaceResolver instances. 34 // After initialization, request handling uses the NamespaceResolver's instance fields. 35 var ( 36 globalRefresher *oauth.Refresher 37 + globalDatabase *sql.DB 38 globalAuthorizer auth.HoldAuthorizer 39 ) 40 ··· 46 47 // SetGlobalDatabase sets the database instance during initialization 48 // Must be called before the registry starts serving requests 49 + func SetGlobalDatabase(database *sql.DB) { 50 globalDatabase = database 51 } 52 ··· 64 // NamespaceResolver wraps a namespace and resolves names 65 type NamespaceResolver struct { 66 distribution.Namespace 67 + defaultHoldDID string // Default hold DID (e.g., "did:web:hold01.atcr.io") 68 + baseURL string // Base URL for error messages (e.g., "https://atcr.io") 69 + testMode bool // If true, fallback to default hold when user's hold is unreachable 70 + refresher *oauth.Refresher // OAuth session manager (copied from global on init) 71 + sqlDB *sql.DB // Database for hold DID lookup and metrics (copied from global on init) 72 + authorizer auth.HoldAuthorizer // Hold authorization (copied from global on init) 73 } 74 75 // initATProtoResolver initializes the name resolution middleware ··· 96 // Copy shared services from globals into the instance 97 // This avoids accessing globals during request handling 98 return &NamespaceResolver{ 99 + Namespace: ns, 100 + defaultHoldDID: defaultHoldDID, 101 + baseURL: baseURL, 102 + testMode: testMode, 103 + refresher: globalRefresher, 104 + sqlDB: globalDatabase, 105 + authorizer: globalAuthorizer, 106 }, nil 107 } 108 109 // Repository resolves the repository name and delegates to underlying namespace 110 // Handles names like: 111 // - atcr.io/alice/myimage → resolve alice to DID ··· 139 } 140 ctx = context.WithValue(ctx, holdDIDKey, holdDID) 141 142 + // Note: Profile and crew membership are now ensured in UserContextMiddleware 143 + // via EnsureUserSetup() - no need to call here 144 145 // Create a new reference with identity/image format 146 // Use the identity (or DID) as the namespace to ensure canonical format ··· 157 return nil, err 158 } 159 160 // IMPORTANT: Use only the image name (not identity/image) for ATProto storage 161 // ATProto records are scoped to the user's DID, so we don't need the identity prefix 162 // Example: "evan.jarrett.net/debian" -> store as "debian" 163 repositoryName := imageName 164 165 + // Get UserContext from request context (set by UserContextMiddleware) 166 + userCtx := auth.FromContext(ctx) 167 + if userCtx == nil { 168 + return nil, fmt.Errorf("UserContext not set in request context - ensure UserContextMiddleware is configured") 169 } 170 171 + // Set target repository info on UserContext 172 + // ATProtoClient is cached lazily via userCtx.GetATProtoClient() 173 + userCtx.SetTarget(did, handle, pdsEndpoint, repositoryName, holdDID) 174 + 175 // Create routing repository - routes manifests to ATProto, blobs to hold service 176 // The registry is stateless - no local storage is used 177 // 178 // NOTE: We create a fresh RoutingRepository on every request (no caching) because: 179 // 1. Each layer upload is a separate HTTP request (possibly different process) 180 // 2. OAuth sessions can be refreshed/invalidated between requests 181 // 3. The refresher already caches sessions efficiently (in-memory + DB) 182 + // 4. ATProtoClient is now cached in UserContext via GetATProtoClient() 183 + return storage.NewRoutingRepository(repo, userCtx, nr.sqlDB), nil 184 } 185 186 // Repositories delegates to underlying namespace ··· 215 } 216 217 if profile != nil && profile.DefaultHold != "" { 218 + // In test mode, verify the hold is reachable (fall back to default if not) 219 + // In production, trust the user's profile and return their hold 220 if nr.testMode { 221 if nr.isHoldReachable(ctx, profile.DefaultHold) { 222 return profile.DefaultHold ··· 295 next.ServeHTTP(w, r) 296 }) 297 } 298 + 299 + // UserContextMiddleware creates a UserContext from the extracted JWT claims 300 + // and stores it in the request context for use throughout request processing. 301 + // This middleware should be chained AFTER ExtractAuthMethod. 302 + func UserContextMiddleware(deps *auth.Dependencies) func(http.Handler) http.Handler { 303 + return func(next http.Handler) http.Handler { 304 + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 305 + ctx := r.Context() 306 + 307 + // Get values set by ExtractAuthMethod 308 + authMethod, _ := ctx.Value(authMethodKey).(string) 309 + pullerDID, _ := ctx.Value(pullerDIDKey).(string) 310 + 311 + // Build UserContext with all dependencies 312 + userCtx := auth.NewUserContext(pullerDID, authMethod, r.Method, deps) 313 + 314 + // Eagerly resolve user's PDS for authenticated users 315 + // This is a fast path that avoids lazy loading in most cases 316 + if userCtx.IsAuthenticated { 317 + if err := userCtx.ResolvePDS(ctx); err != nil { 318 + slog.Warn("Failed to resolve puller's PDS", 319 + "component", "registry/middleware", 320 + "did", pullerDID, 321 + "error", err) 322 + // Continue without PDS - will fail on service token request 323 + } 324 + 325 + // Ensure user has profile and crew membership (runs in background, cached) 326 + userCtx.EnsureUserSetup() 327 + } 328 + 329 + // Store UserContext in request context 330 + ctx = auth.WithUserContext(ctx, userCtx) 331 + r = r.WithContext(ctx) 332 + 333 + slog.Debug("Created UserContext", 334 + "component", "registry/middleware", 335 + "isAuthenticated", userCtx.IsAuthenticated, 336 + "authMethod", userCtx.AuthMethod, 337 + "action", userCtx.Action.String(), 338 + "pullerDID", pullerDID) 339 + 340 + next.ServeHTTP(w, r) 341 + }) 342 + } 343 + }

-11

pkg/appview/middleware/registry_test.go

··· 129 } 130 } 131 132 - // TestAuthErrorMessage tests the error message formatting 133 - func TestAuthErrorMessage(t *testing.T) { 134 - resolver := &NamespaceResolver{ 135 - baseURL: "https://atcr.io", 136 - } 137 - 138 - err := resolver.authErrorMessage("OAuth session expired") 139 - assert.Contains(t, err.Error(), "OAuth session expired") 140 - assert.Contains(t, err.Error(), "https://atcr.io/auth/oauth/login") 141 - } 142 - 143 // TestFindHoldDID_DefaultFallback tests default hold DID fallback 144 func TestFindHoldDID_DefaultFallback(t *testing.T) { 145 // Start a mock PDS server that returns 404 for profile and empty list for holds

··· 129 } 130 } 131 132 // TestFindHoldDID_DefaultFallback tests default hold DID fallback 133 func TestFindHoldDID_DefaultFallback(t *testing.T) { 134 // Start a mock PDS server that returns 404 for profile and empty list for holds

+23 -14

pkg/appview/routes/routes.go

··· 29 HealthChecker *holdhealth.Checker 30 ReadmeFetcher *readme.Fetcher 31 Templates *template.Template 32 } 33 34 // RegisterUIRoutes registers all web UI and API routes on the provided router ··· 36 // Extract trimmed registry URL for templates 37 registryURL := trimRegistryURL(deps.BaseURL) 38 39 // OAuth login routes (public) 40 router.Get("/auth/oauth/login", (&uihandlers.LoginHandler{ 41 Templates: deps.Templates, ··· 45 46 // Public routes (with optional auth for navbar) 47 // SECURITY: Public pages use read-only DB 48 - router.Get("/", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 49 &uihandlers.HomeHandler{ 50 DB: deps.ReadOnlyDB, 51 Templates: deps.Templates, ··· 53 }, 54 ).ServeHTTP) 55 56 - router.Get("/api/recent-pushes", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 57 &uihandlers.RecentPushesHandler{ 58 DB: deps.ReadOnlyDB, 59 Templates: deps.Templates, ··· 63 ).ServeHTTP) 64 65 // SECURITY: Search uses read-only DB to prevent writes and limit access to sensitive tables 66 - router.Get("/search", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 67 &uihandlers.SearchHandler{ 68 DB: deps.ReadOnlyDB, 69 Templates: deps.Templates, ··· 71 }, 72 ).ServeHTTP) 73 74 - router.Get("/api/search-results", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 75 &uihandlers.SearchResultsHandler{ 76 DB: deps.ReadOnlyDB, 77 Templates: deps.Templates, ··· 80 ).ServeHTTP) 81 82 // Install page (public) 83 - router.Get("/install", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 84 &uihandlers.InstallHandler{ 85 Templates: deps.Templates, 86 RegistryURL: registryURL, ··· 88 ).ServeHTTP) 89 90 // API route for repository stats (public, read-only) 91 - router.Get("/api/stats/{handle}/{repository}", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 92 &uihandlers.GetStatsHandler{ 93 DB: deps.ReadOnlyDB, 94 Directory: deps.OAuthClientApp.Dir, ··· 96 ).ServeHTTP) 97 98 // API routes for stars (require authentication) 99 - router.Post("/api/stars/{handle}/{repository}", middleware.RequireAuth(deps.SessionStore, deps.Database)( 100 &uihandlers.StarRepositoryHandler{ 101 DB: deps.Database, // Needs write access 102 Directory: deps.OAuthClientApp.Dir, ··· 104 }, 105 ).ServeHTTP) 106 107 - router.Delete("/api/stars/{handle}/{repository}", middleware.RequireAuth(deps.SessionStore, deps.Database)( 108 &uihandlers.UnstarRepositoryHandler{ 109 DB: deps.Database, // Needs write access 110 Directory: deps.OAuthClientApp.Dir, ··· 112 }, 113 ).ServeHTTP) 114 115 - router.Get("/api/stars/{handle}/{repository}", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 116 &uihandlers.CheckStarHandler{ 117 DB: deps.ReadOnlyDB, // Read-only check 118 Directory: deps.OAuthClientApp.Dir, ··· 121 ).ServeHTTP) 122 123 // Manifest detail API endpoint 124 - router.Get("/api/manifests/{handle}/{repository}/{digest}", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 125 &uihandlers.ManifestDetailHandler{ 126 DB: deps.ReadOnlyDB, 127 Directory: deps.OAuthClientApp.Dir, ··· 133 HealthChecker: deps.HealthChecker, 134 }).ServeHTTP) 135 136 - router.Get("/u/{handle}", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 137 &uihandlers.UserPageHandler{ 138 DB: deps.ReadOnlyDB, 139 Templates: deps.Templates, ··· 152 DB: deps.ReadOnlyDB, 153 }).ServeHTTP) 154 155 - router.Get("/r/{handle}/{repository}", middleware.OptionalAuth(deps.SessionStore, deps.Database)( 156 &uihandlers.RepositoryPageHandler{ 157 DB: deps.ReadOnlyDB, 158 Templates: deps.Templates, ··· 166 167 // Authenticated routes 168 router.Group(func(r chi.Router) { 169 - r.Use(middleware.RequireAuth(deps.SessionStore, deps.Database)) 170 171 r.Get("/settings", (&uihandlers.SettingsHandler{ 172 Templates: deps.Templates, ··· 226 router.Post("/auth/logout", logoutHandler.ServeHTTP) 227 228 // Custom 404 handler 229 - router.NotFound(middleware.OptionalAuth(deps.SessionStore, deps.Database)( 230 &uihandlers.NotFoundHandler{ 231 Templates: deps.Templates, 232 RegistryURL: registryURL,

··· 29 HealthChecker *holdhealth.Checker 30 ReadmeFetcher *readme.Fetcher 31 Templates *template.Template 32 + DefaultHoldDID string // For UserContext creation 33 } 34 35 // RegisterUIRoutes registers all web UI and API routes on the provided router ··· 37 // Extract trimmed registry URL for templates 38 registryURL := trimRegistryURL(deps.BaseURL) 39 40 + // Create web auth dependencies for middleware (enables UserContext in web routes) 41 + webAuthDeps := middleware.WebAuthDeps{ 42 + SessionStore: deps.SessionStore, 43 + Database: deps.Database, 44 + Refresher: deps.Refresher, 45 + DefaultHoldDID: deps.DefaultHoldDID, 46 + } 47 + 48 // OAuth login routes (public) 49 router.Get("/auth/oauth/login", (&uihandlers.LoginHandler{ 50 Templates: deps.Templates, ··· 54 55 // Public routes (with optional auth for navbar) 56 // SECURITY: Public pages use read-only DB 57 + router.Get("/", middleware.OptionalAuthWithDeps(webAuthDeps)( 58 &uihandlers.HomeHandler{ 59 DB: deps.ReadOnlyDB, 60 Templates: deps.Templates, ··· 62 }, 63 ).ServeHTTP) 64 65 + router.Get("/api/recent-pushes", middleware.OptionalAuthWithDeps(webAuthDeps)( 66 &uihandlers.RecentPushesHandler{ 67 DB: deps.ReadOnlyDB, 68 Templates: deps.Templates, ··· 72 ).ServeHTTP) 73 74 // SECURITY: Search uses read-only DB to prevent writes and limit access to sensitive tables 75 + router.Get("/search", middleware.OptionalAuthWithDeps(webAuthDeps)( 76 &uihandlers.SearchHandler{ 77 DB: deps.ReadOnlyDB, 78 Templates: deps.Templates, ··· 80 }, 81 ).ServeHTTP) 82 83 + router.Get("/api/search-results", middleware.OptionalAuthWithDeps(webAuthDeps)( 84 &uihandlers.SearchResultsHandler{ 85 DB: deps.ReadOnlyDB, 86 Templates: deps.Templates, ··· 89 ).ServeHTTP) 90 91 // Install page (public) 92 + router.Get("/install", middleware.OptionalAuthWithDeps(webAuthDeps)( 93 &uihandlers.InstallHandler{ 94 Templates: deps.Templates, 95 RegistryURL: registryURL, ··· 97 ).ServeHTTP) 98 99 // API route for repository stats (public, read-only) 100 + router.Get("/api/stats/{handle}/{repository}", middleware.OptionalAuthWithDeps(webAuthDeps)( 101 &uihandlers.GetStatsHandler{ 102 DB: deps.ReadOnlyDB, 103 Directory: deps.OAuthClientApp.Dir, ··· 105 ).ServeHTTP) 106 107 // API routes for stars (require authentication) 108 + router.Post("/api/stars/{handle}/{repository}", middleware.RequireAuthWithDeps(webAuthDeps)( 109 &uihandlers.StarRepositoryHandler{ 110 DB: deps.Database, // Needs write access 111 Directory: deps.OAuthClientApp.Dir, ··· 113 }, 114 ).ServeHTTP) 115 116 + router.Delete("/api/stars/{handle}/{repository}", middleware.RequireAuthWithDeps(webAuthDeps)( 117 &uihandlers.UnstarRepositoryHandler{ 118 DB: deps.Database, // Needs write access 119 Directory: deps.OAuthClientApp.Dir, ··· 121 }, 122 ).ServeHTTP) 123 124 + router.Get("/api/stars/{handle}/{repository}", middleware.OptionalAuthWithDeps(webAuthDeps)( 125 &uihandlers.CheckStarHandler{ 126 DB: deps.ReadOnlyDB, // Read-only check 127 Directory: deps.OAuthClientApp.Dir, ··· 130 ).ServeHTTP) 131 132 // Manifest detail API endpoint 133 + router.Get("/api/manifests/{handle}/{repository}/{digest}", middleware.OptionalAuthWithDeps(webAuthDeps)( 134 &uihandlers.ManifestDetailHandler{ 135 DB: deps.ReadOnlyDB, 136 Directory: deps.OAuthClientApp.Dir, ··· 142 HealthChecker: deps.HealthChecker, 143 }).ServeHTTP) 144 145 + router.Get("/u/{handle}", middleware.OptionalAuthWithDeps(webAuthDeps)( 146 &uihandlers.UserPageHandler{ 147 DB: deps.ReadOnlyDB, 148 Templates: deps.Templates, ··· 161 DB: deps.ReadOnlyDB, 162 }).ServeHTTP) 163 164 + router.Get("/r/{handle}/{repository}", middleware.OptionalAuthWithDeps(webAuthDeps)( 165 &uihandlers.RepositoryPageHandler{ 166 DB: deps.ReadOnlyDB, 167 Templates: deps.Templates, ··· 175 176 // Authenticated routes 177 router.Group(func(r chi.Router) { 178 + r.Use(middleware.RequireAuthWithDeps(webAuthDeps)) 179 180 r.Get("/settings", (&uihandlers.SettingsHandler{ 181 Templates: deps.Templates, ··· 235 router.Post("/auth/logout", logoutHandler.ServeHTTP) 236 237 // Custom 404 handler 238 + router.NotFound(middleware.OptionalAuthWithDeps(webAuthDeps)( 239 &uihandlers.NotFoundHandler{ 240 Templates: deps.Templates, 241 RegistryURL: registryURL,

-39

pkg/appview/storage/context.go

··· 1 - package storage 2 - 3 - import ( 4 - "atcr.io/pkg/appview/readme" 5 - "atcr.io/pkg/atproto" 6 - "atcr.io/pkg/auth" 7 - "atcr.io/pkg/auth/oauth" 8 - ) 9 - 10 - // DatabaseMetrics interface for tracking pull/push counts and querying hold DIDs 11 - type DatabaseMetrics interface { 12 - IncrementPullCount(did, repository string) error 13 - IncrementPushCount(did, repository string) error 14 - GetLatestHoldDIDForRepo(did, repository string) (string, error) 15 - } 16 - 17 - // RegistryContext bundles all the context needed for registry operations 18 - // This includes both per-request data (DID, hold) and shared services 19 - type RegistryContext struct { 20 - // Per-request identity and routing information 21 - // Owner = the user whose repository is being accessed 22 - // Puller = the authenticated user making the request (from JWT Subject) 23 - DID string // Owner's DID - whose repo is being accessed (e.g., "did:plc:abc123") 24 - Handle string // Owner's handle (e.g., "alice.bsky.social") 25 - HoldDID string // Hold service DID (e.g., "did:web:hold01.atcr.io") 26 - PDSEndpoint string // Owner's PDS endpoint URL 27 - Repository string // Image repository name (e.g., "debian") 28 - ServiceToken string // Service token for hold authentication (from puller's PDS) 29 - ATProtoClient *atproto.Client // Authenticated ATProto client for the owner 30 - AuthMethod string // Auth method used ("oauth" or "app_password") 31 - PullerDID string // Puller's DID - who is making the request (from JWT Subject) 32 - PullerPDSEndpoint string // Puller's PDS endpoint URL 33 - 34 - // Shared services (same for all requests) 35 - Database DatabaseMetrics // Metrics tracking database 36 - Authorizer auth.HoldAuthorizer // Hold access authorization 37 - Refresher *oauth.Refresher // OAuth session manager 38 - ReadmeFetcher *readme.Fetcher // README fetcher for repo pages 39 - }

···

-113

pkg/appview/storage/context_test.go

··· 1 - package storage 2 - 3 - import ( 4 - "sync" 5 - "testing" 6 - 7 - "atcr.io/pkg/atproto" 8 - ) 9 - 10 - // Mock implementations for testing 11 - type mockDatabaseMetrics struct { 12 - mu sync.Mutex 13 - pullCount int 14 - pushCount int 15 - } 16 - 17 - func (m *mockDatabaseMetrics) IncrementPullCount(did, repository string) error { 18 - m.mu.Lock() 19 - defer m.mu.Unlock() 20 - m.pullCount++ 21 - return nil 22 - } 23 - 24 - func (m *mockDatabaseMetrics) IncrementPushCount(did, repository string) error { 25 - m.mu.Lock() 26 - defer m.mu.Unlock() 27 - m.pushCount++ 28 - return nil 29 - } 30 - 31 - func (m *mockDatabaseMetrics) GetLatestHoldDIDForRepo(did, repository string) (string, error) { 32 - // Return empty string for mock - tests can override if needed 33 - return "", nil 34 - } 35 - 36 - func (m *mockDatabaseMetrics) getPullCount() int { 37 - m.mu.Lock() 38 - defer m.mu.Unlock() 39 - return m.pullCount 40 - } 41 - 42 - func (m *mockDatabaseMetrics) getPushCount() int { 43 - m.mu.Lock() 44 - defer m.mu.Unlock() 45 - return m.pushCount 46 - } 47 - 48 - type mockHoldAuthorizer struct{} 49 - 50 - func (m *mockHoldAuthorizer) Authorize(holdDID, userDID, permission string) (bool, error) { 51 - return true, nil 52 - } 53 - 54 - func TestRegistryContext_Fields(t *testing.T) { 55 - // Create a sample RegistryContext 56 - ctx := &RegistryContext{ 57 - DID: "did:plc:test123", 58 - Handle: "alice.bsky.social", 59 - HoldDID: "did:web:hold01.atcr.io", 60 - PDSEndpoint: "https://bsky.social", 61 - Repository: "debian", 62 - ServiceToken: "test-token", 63 - ATProtoClient: &atproto.Client{ 64 - // Mock client - would need proper initialization in real tests 65 - }, 66 - Database: &mockDatabaseMetrics{}, 67 - } 68 - 69 - // Verify fields are accessible 70 - if ctx.DID != "did:plc:test123" { 71 - t.Errorf("Expected DID %q, got %q", "did:plc:test123", ctx.DID) 72 - } 73 - if ctx.Handle != "alice.bsky.social" { 74 - t.Errorf("Expected Handle %q, got %q", "alice.bsky.social", ctx.Handle) 75 - } 76 - if ctx.HoldDID != "did:web:hold01.atcr.io" { 77 - t.Errorf("Expected HoldDID %q, got %q", "did:web:hold01.atcr.io", ctx.HoldDID) 78 - } 79 - if ctx.PDSEndpoint != "https://bsky.social" { 80 - t.Errorf("Expected PDSEndpoint %q, got %q", "https://bsky.social", ctx.PDSEndpoint) 81 - } 82 - if ctx.Repository != "debian" { 83 - t.Errorf("Expected Repository %q, got %q", "debian", ctx.Repository) 84 - } 85 - if ctx.ServiceToken != "test-token" { 86 - t.Errorf("Expected ServiceToken %q, got %q", "test-token", ctx.ServiceToken) 87 - } 88 - } 89 - 90 - func TestRegistryContext_DatabaseInterface(t *testing.T) { 91 - db := &mockDatabaseMetrics{} 92 - ctx := &RegistryContext{ 93 - Database: db, 94 - } 95 - 96 - // Test that interface methods are callable 97 - err := ctx.Database.IncrementPullCount("did:plc:test", "repo") 98 - if err != nil { 99 - t.Errorf("Unexpected error: %v", err) 100 - } 101 - 102 - err = ctx.Database.IncrementPushCount("did:plc:test", "repo") 103 - if err != nil { 104 - t.Errorf("Unexpected error: %v", err) 105 - } 106 - } 107 - 108 - // TODO: Add more comprehensive tests: 109 - // - Test ATProtoClient integration 110 - // - Test OAuth Refresher integration 111 - // - Test HoldAuthorizer integration 112 - // - Test nil handling for optional fields 113 - // - Integration tests with real components

···

-93

pkg/appview/storage/crew.go

··· 1 - package storage 2 - 3 - import ( 4 - "context" 5 - "fmt" 6 - "io" 7 - "log/slog" 8 - "net/http" 9 - "time" 10 - 11 - "atcr.io/pkg/atproto" 12 - "atcr.io/pkg/auth" 13 - "atcr.io/pkg/auth/oauth" 14 - ) 15 - 16 - // EnsureCrewMembership attempts to register the user as a crew member on their default hold. 17 - // The hold's requestCrew endpoint handles all authorization logic (checking allowAllCrew, existing membership, etc). 18 - // This is best-effort and does not fail on errors. 19 - func EnsureCrewMembership(ctx context.Context, client *atproto.Client, refresher *oauth.Refresher, defaultHoldDID string) { 20 - if defaultHoldDID == "" { 21 - return 22 - } 23 - 24 - // Normalize URL to DID if needed 25 - holdDID := atproto.ResolveHoldDIDFromURL(defaultHoldDID) 26 - if holdDID == "" { 27 - slog.Warn("failed to resolve hold DID", "defaultHold", defaultHoldDID) 28 - return 29 - } 30 - 31 - // Resolve hold DID to HTTP endpoint 32 - holdEndpoint := atproto.ResolveHoldURL(holdDID) 33 - 34 - // Get service token for the hold 35 - // Only works with OAuth (refresher required) - app passwords can't get service tokens 36 - if refresher == nil { 37 - slog.Debug("skipping crew registration - no OAuth refresher (app password flow)", "holdDID", holdDID) 38 - return 39 - } 40 - 41 - // Wrap the refresher to match OAuthSessionRefresher interface 42 - serviceToken, err := auth.GetOrFetchServiceToken(ctx, refresher, client.DID(), holdDID, client.PDSEndpoint()) 43 - if err != nil { 44 - slog.Warn("failed to get service token", "holdDID", holdDID, "error", err) 45 - return 46 - } 47 - 48 - // Call requestCrew endpoint - it handles all the logic: 49 - // - Checks allowAllCrew flag 50 - // - Checks if already a crew member (returns success if so) 51 - // - Creates crew record if authorized 52 - if err := requestCrewMembership(ctx, holdEndpoint, serviceToken); err != nil { 53 - slog.Warn("failed to request crew membership", "holdDID", holdDID, "error", err) 54 - return 55 - } 56 - 57 - slog.Info("successfully registered as crew member", "holdDID", holdDID, "userDID", client.DID()) 58 - } 59 - 60 - // requestCrewMembership calls the hold's requestCrew endpoint 61 - // The endpoint handles all authorization and duplicate checking internally 62 - func requestCrewMembership(ctx context.Context, holdEndpoint, serviceToken string) error { 63 - // Add 5 second timeout to prevent hanging on offline holds 64 - ctx, cancel := context.WithTimeout(ctx, 5*time.Second) 65 - defer cancel() 66 - 67 - url := fmt.Sprintf("%s%s", holdEndpoint, atproto.HoldRequestCrew) 68 - 69 - req, err := http.NewRequestWithContext(ctx, "POST", url, nil) 70 - if err != nil { 71 - return err 72 - } 73 - 74 - req.Header.Set("Authorization", "Bearer "+serviceToken) 75 - req.Header.Set("Content-Type", "application/json") 76 - 77 - resp, err := http.DefaultClient.Do(req) 78 - if err != nil { 79 - return err 80 - } 81 - defer resp.Body.Close() 82 - 83 - if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated { 84 - // Read response body to capture actual error message from hold 85 - body, readErr := io.ReadAll(resp.Body) 86 - if readErr != nil { 87 - return fmt.Errorf("requestCrew failed with status %d (failed to read error body: %w)", resp.StatusCode, readErr) 88 - } 89 - return fmt.Errorf("requestCrew failed with status %d: %s", resp.StatusCode, string(body)) 90 - } 91 - 92 - return nil 93 - }

···

-14

pkg/appview/storage/crew_test.go

··· 1 - package storage 2 - 3 - import ( 4 - "context" 5 - "testing" 6 - ) 7 - 8 - func TestEnsureCrewMembership_EmptyHoldDID(t *testing.T) { 9 - // Test that empty hold DID returns early without error (best-effort function) 10 - EnsureCrewMembership(context.Background(), nil, nil, "") 11 - // If we get here without panic, test passes 12 - } 13 - 14 - // TODO: Add comprehensive tests with HTTP client mocking

···

+53 -50

pkg/appview/storage/manifest_store.go

··· 3 import ( 4 "bytes" 5 "context" 6 "encoding/json" 7 "errors" 8 "fmt" ··· 12 "strings" 13 "time" 14 15 "atcr.io/pkg/appview/readme" 16 "atcr.io/pkg/atproto" 17 "github.com/distribution/distribution/v3" 18 "github.com/opencontainers/go-digest" 19 ) ··· 21 // ManifestStore implements distribution.ManifestService 22 // It stores manifests in ATProto as records 23 type ManifestStore struct { 24 - ctx *RegistryContext // Context with user/hold info 25 - blobStore distribution.BlobStore // Blob store for fetching config during push 26 } 27 28 // NewManifestStore creates a new ATProto-backed manifest store 29 - func NewManifestStore(ctx *RegistryContext, blobStore distribution.BlobStore) *ManifestStore { 30 return &ManifestStore{ 31 - ctx: ctx, 32 blobStore: blobStore, 33 } 34 } 35 36 // Exists checks if a manifest exists by digest 37 func (s *ManifestStore) Exists(ctx context.Context, dgst digest.Digest) (bool, error) { 38 rkey := digestToRKey(dgst) 39 - _, err := s.ctx.ATProtoClient.GetRecord(ctx, atproto.ManifestCollection, rkey) 40 if err != nil { 41 // If not found, return false without error 42 if errors.Is(err, atproto.ErrRecordNotFound) { ··· 50 // Get retrieves a manifest by digest 51 func (s *ManifestStore) Get(ctx context.Context, dgst digest.Digest, options ...distribution.ManifestServiceOption) (distribution.Manifest, error) { 52 rkey := digestToRKey(dgst) 53 - record, err := s.ctx.ATProtoClient.GetRecord(ctx, atproto.ManifestCollection, rkey) 54 if err != nil { 55 return nil, distribution.ErrManifestUnknownRevision{ 56 - Name: s.ctx.Repository, 57 Revision: dgst, 58 } 59 } ··· 67 68 // New records: Download blob from ATProto blob storage 69 if manifestRecord.ManifestBlob != nil && manifestRecord.ManifestBlob.Ref.Link != "" { 70 - ociManifest, err = s.ctx.ATProtoClient.GetBlob(ctx, manifestRecord.ManifestBlob.Ref.Link) 71 if err != nil { 72 return nil, fmt.Errorf("failed to download manifest blob: %w", err) 73 } ··· 75 76 // Track pull count (increment asynchronously to avoid blocking the response) 77 // Only count GET requests (actual downloads), not HEAD requests (existence checks) 78 - if s.ctx.Database != nil { 79 // Check HTTP method from context (distribution library stores it as "http.request.method") 80 if method, ok := ctx.Value("http.request.method").(string); ok && method == "GET" { 81 go func() { 82 - if err := s.ctx.Database.IncrementPullCount(s.ctx.DID, s.ctx.Repository); err != nil { 83 - slog.Warn("Failed to increment pull count", "did", s.ctx.DID, "repository", s.ctx.Repository, "error", err) 84 } 85 }() 86 } ··· 107 dgst := digest.FromBytes(payload) 108 109 // Upload manifest as blob to PDS 110 - blobRef, err := s.ctx.ATProtoClient.UploadBlob(ctx, payload, mediaType) 111 if err != nil { 112 return "", fmt.Errorf("failed to upload manifest blob: %w", err) 113 } 114 115 // Create manifest record with structured metadata 116 - manifestRecord, err := atproto.NewManifestRecord(s.ctx.Repository, dgst.String(), payload) 117 if err != nil { 118 return "", fmt.Errorf("failed to create manifest record: %w", err) 119 } 120 121 // Set the blob reference, hold DID, and hold endpoint 122 manifestRecord.ManifestBlob = blobRef 123 - manifestRecord.HoldDID = s.ctx.HoldDID // Primary reference (DID) 124 125 // Extract Dockerfile labels from config blob and add to annotations 126 // Only for image manifests (not manifest lists which don't have config blobs) ··· 150 platform = fmt.Sprintf("%s/%s", ref.Platform.OS, ref.Platform.Architecture) 151 } 152 slog.Warn("Manifest list references non-existent child manifest", 153 - "repository", s.ctx.Repository, 154 "missingDigest", ref.Digest, 155 "platform", platform) 156 return "", distribution.ErrManifestBlobUnknown{Digest: refDigest} ··· 185 186 // Store manifest record in ATProto 187 rkey := digestToRKey(dgst) 188 - _, err = s.ctx.ATProtoClient.PutRecord(ctx, atproto.ManifestCollection, rkey, manifestRecord) 189 if err != nil { 190 return "", fmt.Errorf("failed to store manifest record in ATProto: %w", err) 191 } 192 193 // Track push count (increment asynchronously to avoid blocking the response) 194 - if s.ctx.Database != nil { 195 go func() { 196 - if err := s.ctx.Database.IncrementPushCount(s.ctx.DID, s.ctx.Repository); err != nil { 197 - slog.Warn("Failed to increment push count", "did", s.ctx.DID, "repository", s.ctx.Repository, "error", err) 198 } 199 }() 200 } ··· 204 for _, option := range options { 205 if tagOpt, ok := option.(distribution.WithTagOption); ok { 206 tag = tagOpt.Tag 207 - tagRecord := atproto.NewTagRecord(s.ctx.ATProtoClient.DID(), s.ctx.Repository, tag, dgst.String()) 208 - tagRKey := atproto.RepositoryTagToRKey(s.ctx.Repository, tag) 209 - _, err = s.ctx.ATProtoClient.PutRecord(ctx, atproto.TagCollection, tagRKey, tagRecord) 210 if err != nil { 211 return "", fmt.Errorf("failed to store tag in ATProto: %w", err) 212 } ··· 215 216 // Notify hold about manifest upload (for layer tracking and Bluesky posts) 217 // Do this asynchronously to avoid blocking the push 218 - if tag != "" && s.ctx.ServiceToken != "" && s.ctx.Handle != "" { 219 - go func() { 220 defer func() { 221 if r := recover(); r != nil { 222 slog.Error("Panic in notifyHoldAboutManifest", "panic", r) 223 } 224 }() 225 - if err := s.notifyHoldAboutManifest(context.Background(), manifestRecord, tag, dgst.String()); err != nil { 226 slog.Warn("Failed to notify hold about manifest", "error", err) 227 } 228 - }() 229 } 230 231 // Create or update repo page asynchronously if manifest has relevant annotations ··· 245 // Delete removes a manifest 246 func (s *ManifestStore) Delete(ctx context.Context, dgst digest.Digest) error { 247 rkey := digestToRKey(dgst) 248 - return s.ctx.ATProtoClient.DeleteRecord(ctx, atproto.ManifestCollection, rkey) 249 } 250 251 // digestToRKey converts a digest to an ATProto record key ··· 300 301 // notifyHoldAboutManifest notifies the hold service about a manifest upload 302 // This enables the hold to create layer records and Bluesky posts 303 - func (s *ManifestStore) notifyHoldAboutManifest(ctx context.Context, manifestRecord *atproto.ManifestRecord, tag, manifestDigest string) error { 304 - // Skip if no service token configured (e.g., anonymous pulls) 305 - if s.ctx.ServiceToken == "" { 306 return nil 307 } 308 309 // Resolve hold DID to HTTP endpoint 310 // For did:web, this is straightforward (e.g., did:web:hold01.atcr.io → https://hold01.atcr.io) 311 - holdEndpoint := atproto.ResolveHoldURL(s.ctx.HoldDID) 312 313 - // Use service token from middleware (already cached and validated) 314 - serviceToken := s.ctx.ServiceToken 315 316 // Build notification request 317 manifestData := map[string]any{ ··· 360 } 361 362 notifyReq := map[string]any{ 363 - "repository": s.ctx.Repository, 364 "tag": tag, 365 - "userDid": s.ctx.DID, 366 - "userHandle": s.ctx.Handle, 367 "manifest": manifestData, 368 } 369 ··· 401 // Parse response (optional logging) 402 var notifyResp map[string]any 403 if err := json.NewDecoder(resp.Body).Decode(&notifyResp); err == nil { 404 - slog.Info("Hold notification successful", "repository", s.ctx.Repository, "tag", tag, "response", notifyResp) 405 } 406 407 return nil ··· 412 // Only creates a new record if one doesn't exist (doesn't overwrite user's custom content) 413 func (s *ManifestStore) ensureRepoPage(ctx context.Context, manifestRecord *atproto.ManifestRecord) { 414 // Check if repo page already exists (don't overwrite user's custom content) 415 - rkey := s.ctx.Repository 416 - _, err := s.ctx.ATProtoClient.GetRecord(ctx, atproto.RepoPageCollection, rkey) 417 if err == nil { 418 // Record already exists - don't overwrite 419 - slog.Debug("Repo page already exists, skipping creation", "did", s.ctx.DID, "repository", s.ctx.Repository) 420 return 421 } 422 423 // Only continue if it's a "not found" error - other errors mean we should skip 424 if !errors.Is(err, atproto.ErrRecordNotFound) { 425 - slog.Warn("Failed to check for existing repo page", "did", s.ctx.DID, "repository", s.ctx.Repository, "error", err) 426 return 427 } 428 ··· 448 } 449 450 // Create new repo page record with description and optional avatar 451 - repoPage := atproto.NewRepoPageRecord(s.ctx.Repository, description, avatarRef) 452 453 - slog.Info("Creating repo page from manifest annotations", "did", s.ctx.DID, "repository", s.ctx.Repository, "descriptionLength", len(description), "hasAvatar", avatarRef != nil) 454 455 - _, err = s.ctx.ATProtoClient.PutRecord(ctx, atproto.RepoPageCollection, rkey, repoPage) 456 if err != nil { 457 - slog.Warn("Failed to create repo page", "did", s.ctx.DID, "repository", s.ctx.Repository, "error", err) 458 return 459 } 460 461 - slog.Info("Repo page created successfully", "did", s.ctx.DID, "repository", s.ctx.Repository) 462 } 463 464 // fetchReadmeContent attempts to fetch README content from external sources 465 // Priority: io.atcr.readme annotation > derived from org.opencontainers.image.source 466 // Returns the raw markdown content, or empty string if not available 467 func (s *ManifestStore) fetchReadmeContent(ctx context.Context, annotations map[string]string) string { 468 - if s.ctx.ReadmeFetcher == nil { 469 - return "" 470 - } 471 472 // Create a context with timeout for README fetching (don't block push too long) 473 fetchCtx, cancel := context.WithTimeout(ctx, 10*time.Second) ··· 614 } 615 616 // Upload the icon as a blob to the user's PDS 617 - blobRef, err := s.ctx.ATProtoClient.UploadBlob(ctx, iconData, mimeType) 618 if err != nil { 619 slog.Warn("Failed to upload icon blob", "url", iconURL, "error", err) 620 return nil

··· 3 import ( 4 "bytes" 5 "context" 6 + "database/sql" 7 "encoding/json" 8 "errors" 9 "fmt" ··· 13 "strings" 14 "time" 15 16 + "atcr.io/pkg/appview/db" 17 "atcr.io/pkg/appview/readme" 18 "atcr.io/pkg/atproto" 19 + "atcr.io/pkg/auth" 20 "github.com/distribution/distribution/v3" 21 "github.com/opencontainers/go-digest" 22 ) ··· 24 // ManifestStore implements distribution.ManifestService 25 // It stores manifests in ATProto as records 26 type ManifestStore struct { 27 + ctx *auth.UserContext // User context with identity, target, permissions 28 + blobStore distribution.BlobStore // Blob store for fetching config during push 29 + sqlDB *sql.DB // Database for pull/push counts 30 } 31 32 // NewManifestStore creates a new ATProto-backed manifest store 33 + func NewManifestStore(userCtx *auth.UserContext, blobStore distribution.BlobStore, sqlDB *sql.DB) *ManifestStore { 34 return &ManifestStore{ 35 + ctx: userCtx, 36 blobStore: blobStore, 37 + sqlDB: sqlDB, 38 } 39 } 40 41 // Exists checks if a manifest exists by digest 42 func (s *ManifestStore) Exists(ctx context.Context, dgst digest.Digest) (bool, error) { 43 rkey := digestToRKey(dgst) 44 + _, err := s.ctx.GetATProtoClient().GetRecord(ctx, atproto.ManifestCollection, rkey) 45 if err != nil { 46 // If not found, return false without error 47 if errors.Is(err, atproto.ErrRecordNotFound) { ··· 55 // Get retrieves a manifest by digest 56 func (s *ManifestStore) Get(ctx context.Context, dgst digest.Digest, options ...distribution.ManifestServiceOption) (distribution.Manifest, error) { 57 rkey := digestToRKey(dgst) 58 + record, err := s.ctx.GetATProtoClient().GetRecord(ctx, atproto.ManifestCollection, rkey) 59 if err != nil { 60 return nil, distribution.ErrManifestUnknownRevision{ 61 + Name: s.ctx.TargetRepo, 62 Revision: dgst, 63 } 64 } ··· 72 73 // New records: Download blob from ATProto blob storage 74 if manifestRecord.ManifestBlob != nil && manifestRecord.ManifestBlob.Ref.Link != "" { 75 + ociManifest, err = s.ctx.GetATProtoClient().GetBlob(ctx, manifestRecord.ManifestBlob.Ref.Link) 76 if err != nil { 77 return nil, fmt.Errorf("failed to download manifest blob: %w", err) 78 } ··· 80 81 // Track pull count (increment asynchronously to avoid blocking the response) 82 // Only count GET requests (actual downloads), not HEAD requests (existence checks) 83 + if s.sqlDB != nil { 84 // Check HTTP method from context (distribution library stores it as "http.request.method") 85 if method, ok := ctx.Value("http.request.method").(string); ok && method == "GET" { 86 go func() { 87 + if err := db.IncrementPullCount(s.sqlDB, s.ctx.TargetOwnerDID, s.ctx.TargetRepo); err != nil { 88 + slog.Warn("Failed to increment pull count", "did", s.ctx.TargetOwnerDID, "repository", s.ctx.TargetRepo, "error", err) 89 } 90 }() 91 } ··· 112 dgst := digest.FromBytes(payload) 113 114 // Upload manifest as blob to PDS 115 + blobRef, err := s.ctx.GetATProtoClient().UploadBlob(ctx, payload, mediaType) 116 if err != nil { 117 return "", fmt.Errorf("failed to upload manifest blob: %w", err) 118 } 119 120 // Create manifest record with structured metadata 121 + manifestRecord, err := atproto.NewManifestRecord(s.ctx.TargetRepo, dgst.String(), payload) 122 if err != nil { 123 return "", fmt.Errorf("failed to create manifest record: %w", err) 124 } 125 126 // Set the blob reference, hold DID, and hold endpoint 127 manifestRecord.ManifestBlob = blobRef 128 + manifestRecord.HoldDID = s.ctx.TargetHoldDID // Primary reference (DID) 129 130 // Extract Dockerfile labels from config blob and add to annotations 131 // Only for image manifests (not manifest lists which don't have config blobs) ··· 155 platform = fmt.Sprintf("%s/%s", ref.Platform.OS, ref.Platform.Architecture) 156 } 157 slog.Warn("Manifest list references non-existent child manifest", 158 + "repository", s.ctx.TargetRepo, 159 "missingDigest", ref.Digest, 160 "platform", platform) 161 return "", distribution.ErrManifestBlobUnknown{Digest: refDigest} ··· 190 191 // Store manifest record in ATProto 192 rkey := digestToRKey(dgst) 193 + _, err = s.ctx.GetATProtoClient().PutRecord(ctx, atproto.ManifestCollection, rkey, manifestRecord) 194 if err != nil { 195 return "", fmt.Errorf("failed to store manifest record in ATProto: %w", err) 196 } 197 198 // Track push count (increment asynchronously to avoid blocking the response) 199 + if s.sqlDB != nil { 200 go func() { 201 + if err := db.IncrementPushCount(s.sqlDB, s.ctx.TargetOwnerDID, s.ctx.TargetRepo); err != nil { 202 + slog.Warn("Failed to increment push count", "did", s.ctx.TargetOwnerDID, "repository", s.ctx.TargetRepo, "error", err) 203 } 204 }() 205 } ··· 209 for _, option := range options { 210 if tagOpt, ok := option.(distribution.WithTagOption); ok { 211 tag = tagOpt.Tag 212 + tagRecord := atproto.NewTagRecord(s.ctx.GetATProtoClient().DID(), s.ctx.TargetRepo, tag, dgst.String()) 213 + tagRKey := atproto.RepositoryTagToRKey(s.ctx.TargetRepo, tag) 214 + _, err = s.ctx.GetATProtoClient().PutRecord(ctx, atproto.TagCollection, tagRKey, tagRecord) 215 if err != nil { 216 return "", fmt.Errorf("failed to store tag in ATProto: %w", err) 217 } ··· 220 221 // Notify hold about manifest upload (for layer tracking and Bluesky posts) 222 // Do this asynchronously to avoid blocking the push 223 + // Get service token before goroutine (requires context) 224 + serviceToken, _ := s.ctx.GetServiceToken(ctx) 225 + if tag != "" && serviceToken != "" && s.ctx.TargetOwnerHandle != "" { 226 + go func(serviceToken string) { 227 defer func() { 228 if r := recover(); r != nil { 229 slog.Error("Panic in notifyHoldAboutManifest", "panic", r) 230 } 231 }() 232 + if err := s.notifyHoldAboutManifest(context.Background(), manifestRecord, tag, dgst.String(), serviceToken); err != nil { 233 slog.Warn("Failed to notify hold about manifest", "error", err) 234 } 235 + }(serviceToken) 236 } 237 238 // Create or update repo page asynchronously if manifest has relevant annotations ··· 252 // Delete removes a manifest 253 func (s *ManifestStore) Delete(ctx context.Context, dgst digest.Digest) error { 254 rkey := digestToRKey(dgst) 255 + return s.ctx.GetATProtoClient().DeleteRecord(ctx, atproto.ManifestCollection, rkey) 256 } 257 258 // digestToRKey converts a digest to an ATProto record key ··· 307 308 // notifyHoldAboutManifest notifies the hold service about a manifest upload 309 // This enables the hold to create layer records and Bluesky posts 310 + func (s *ManifestStore) notifyHoldAboutManifest(ctx context.Context, manifestRecord *atproto.ManifestRecord, tag, manifestDigest, serviceToken string) error { 311 + // Skip if no service token provided 312 + if serviceToken == "" { 313 return nil 314 } 315 316 // Resolve hold DID to HTTP endpoint 317 // For did:web, this is straightforward (e.g., did:web:hold01.atcr.io → https://hold01.atcr.io) 318 + holdEndpoint := atproto.ResolveHoldURL(s.ctx.TargetHoldDID) 319 320 + // Service token is passed in (already cached and validated) 321 322 // Build notification request 323 manifestData := map[string]any{ ··· 366 } 367 368 notifyReq := map[string]any{ 369 + "repository": s.ctx.TargetRepo, 370 "tag": tag, 371 + "userDid": s.ctx.TargetOwnerDID, 372 + "userHandle": s.ctx.TargetOwnerHandle, 373 "manifest": manifestData, 374 } 375 ··· 407 // Parse response (optional logging) 408 var notifyResp map[string]any 409 if err := json.NewDecoder(resp.Body).Decode(&notifyResp); err == nil { 410 + slog.Info("Hold notification successful", "repository", s.ctx.TargetRepo, "tag", tag, "response", notifyResp) 411 } 412 413 return nil ··· 418 // Only creates a new record if one doesn't exist (doesn't overwrite user's custom content) 419 func (s *ManifestStore) ensureRepoPage(ctx context.Context, manifestRecord *atproto.ManifestRecord) { 420 // Check if repo page already exists (don't overwrite user's custom content) 421 + rkey := s.ctx.TargetRepo 422 + _, err := s.ctx.GetATProtoClient().GetRecord(ctx, atproto.RepoPageCollection, rkey) 423 if err == nil { 424 // Record already exists - don't overwrite 425 + slog.Debug("Repo page already exists, skipping creation", "did", s.ctx.TargetOwnerDID, "repository", s.ctx.TargetRepo) 426 return 427 } 428 429 // Only continue if it's a "not found" error - other errors mean we should skip 430 if !errors.Is(err, atproto.ErrRecordNotFound) { 431 + slog.Warn("Failed to check for existing repo page", "did", s.ctx.TargetOwnerDID, "repository", s.ctx.TargetRepo, "error", err) 432 return 433 } 434 ··· 454 } 455 456 // Create new repo page record with description and optional avatar 457 + repoPage := atproto.NewRepoPageRecord(s.ctx.TargetRepo, description, avatarRef) 458 459 + slog.Info("Creating repo page from manifest annotations", "did", s.ctx.TargetOwnerDID, "repository", s.ctx.TargetRepo, "descriptionLength", len(description), "hasAvatar", avatarRef != nil) 460 461 + _, err = s.ctx.GetATProtoClient().PutRecord(ctx, atproto.RepoPageCollection, rkey, repoPage) 462 if err != nil { 463 + slog.Warn("Failed to create repo page", "did", s.ctx.TargetOwnerDID, "repository", s.ctx.TargetRepo, "error", err) 464 return 465 } 466 467 + slog.Info("Repo page created successfully", "did", s.ctx.TargetOwnerDID, "repository", s.ctx.TargetRepo) 468 } 469 470 // fetchReadmeContent attempts to fetch README content from external sources 471 // Priority: io.atcr.readme annotation > derived from org.opencontainers.image.source 472 // Returns the raw markdown content, or empty string if not available 473 func (s *ManifestStore) fetchReadmeContent(ctx context.Context, annotations map[string]string) string { 474 475 // Create a context with timeout for README fetching (don't block push too long) 476 fetchCtx, cancel := context.WithTimeout(ctx, 10*time.Second) ··· 617 } 618 619 // Upload the icon as a blob to the user's PDS 620 + blobRef, err := s.ctx.GetATProtoClient().UploadBlob(ctx, iconData, mimeType) 621 if err != nil { 622 slog.Warn("Failed to upload icon blob", "url", iconURL, "error", err) 623 return nil

+122 -160

pkg/appview/storage/manifest_store_test.go

··· 8 "net/http" 9 "net/http/httptest" 10 "testing" 11 - "time" 12 13 "atcr.io/pkg/atproto" 14 "github.com/distribution/distribution/v3" 15 "github.com/opencontainers/go-digest" 16 ) 17 18 - // mockDatabaseMetrics removed - using the one from context_test.go 19 - 20 // mockBlobStore is a minimal mock of distribution.BlobStore for testing 21 type mockBlobStore struct { 22 blobs map[digest.Digest][]byte ··· 72 return nil, nil // Not needed for current tests 73 } 74 75 - // mockRegistryContext creates a mock RegistryContext for testing 76 - func mockRegistryContext(client *atproto.Client, repository, holdDID, did, handle string, database DatabaseMetrics) *RegistryContext { 77 - return &RegistryContext{ 78 - ATProtoClient: client, 79 - Repository: repository, 80 - HoldDID: holdDID, 81 - DID: did, 82 - Handle: handle, 83 - Database: database, 84 - } 85 } 86 87 // TestDigestToRKey tests digest to record key conversion ··· 115 116 // TestNewManifestStore tests creating a new manifest store 117 func TestNewManifestStore(t *testing.T) { 118 - client := atproto.NewClient("https://pds.example.com", "did:plc:test123", "token") 119 blobStore := newMockBlobStore() 120 - db := &mockDatabaseMetrics{} 121 - 122 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:alice123", "alice.test", db) 123 - store := NewManifestStore(ctx, blobStore) 124 125 - if store.ctx.Repository != "myapp" { 126 - t.Errorf("repository = %v, want myapp", store.ctx.Repository) 127 } 128 - if store.ctx.HoldDID != "did:web:hold.example.com" { 129 - t.Errorf("holdDID = %v, want did:web:hold.example.com", store.ctx.HoldDID) 130 } 131 - if store.ctx.DID != "did:plc:alice123" { 132 - t.Errorf("did = %v, want did:plc:alice123", store.ctx.DID) 133 } 134 - if store.ctx.Handle != "alice.test" { 135 - t.Errorf("handle = %v, want alice.test", store.ctx.Handle) 136 } 137 } 138 ··· 187 blobStore.blobs[configDigest] = configData 188 189 // Create manifest store 190 - client := atproto.NewClient("https://pds.example.com", "did:plc:test123", "token") 191 - ctx := mockRegistryContext(client, "myapp", "", "did:plc:test123", "test.handle", nil) 192 - store := NewManifestStore(ctx, blobStore) 193 194 // Extract labels 195 labels, err := store.extractConfigLabels(context.Background(), configDigest.String()) ··· 227 configDigest := digest.FromBytes(configData) 228 blobStore.blobs[configDigest] = configData 229 230 - client := atproto.NewClient("https://pds.example.com", "did:plc:test123", "token") 231 - ctx := mockRegistryContext(client, "myapp", "", "did:plc:test123", "test.handle", nil) 232 - store := NewManifestStore(ctx, blobStore) 233 234 labels, err := store.extractConfigLabels(context.Background(), configDigest.String()) 235 if err != nil { ··· 245 // TestExtractConfigLabels_InvalidDigest tests error handling for invalid digest 246 func TestExtractConfigLabels_InvalidDigest(t *testing.T) { 247 blobStore := newMockBlobStore() 248 - client := atproto.NewClient("https://pds.example.com", "did:plc:test123", "token") 249 - ctx := mockRegistryContext(client, "myapp", "", "did:plc:test123", "test.handle", nil) 250 - store := NewManifestStore(ctx, blobStore) 251 252 _, err := store.extractConfigLabels(context.Background(), "invalid-digest") 253 if err == nil { ··· 264 configDigest := digest.FromBytes(configData) 265 blobStore.blobs[configDigest] = configData 266 267 - client := atproto.NewClient("https://pds.example.com", "did:plc:test123", "token") 268 - ctx := mockRegistryContext(client, "myapp", "", "did:plc:test123", "test.handle", nil) 269 - store := NewManifestStore(ctx, blobStore) 270 271 _, err := store.extractConfigLabels(context.Background(), configDigest.String()) 272 if err == nil { ··· 274 } 275 } 276 277 - // TestManifestStore_WithMetrics tests that metrics are tracked 278 - func TestManifestStore_WithMetrics(t *testing.T) { 279 - db := &mockDatabaseMetrics{} 280 - client := atproto.NewClient("https://pds.example.com", "did:plc:test123", "token") 281 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:alice123", "alice.test", db) 282 - store := NewManifestStore(ctx, nil) 283 - 284 - if store.ctx.Database != db { 285 - t.Error("ManifestStore should store database reference") 286 - } 287 - 288 - // Note: Actual metrics tracking happens in Put() and Get() which require 289 - // full mock setup. The important thing is that the database is wired up. 290 - } 291 - 292 - // TestManifestStore_WithoutMetrics tests that nil database is acceptable 293 - func TestManifestStore_WithoutMetrics(t *testing.T) { 294 - client := atproto.NewClient("https://pds.example.com", "did:plc:test123", "token") 295 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:alice123", "alice.test", nil) 296 - store := NewManifestStore(ctx, nil) 297 - 298 - if store.ctx.Database != nil { 299 t.Error("ManifestStore should accept nil database") 300 } 301 } ··· 345 })) 346 defer server.Close() 347 348 - client := atproto.NewClient(server.URL, "did:plc:test123", "token") 349 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:test123", "test.handle", nil) 350 - store := NewManifestStore(ctx, nil) 351 352 exists, err := store.Exists(context.Background(), tt.digest) 353 if (err != nil) != tt.wantErr { ··· 463 })) 464 defer server.Close() 465 466 - client := atproto.NewClient(server.URL, "did:plc:test123", "token") 467 - db := &mockDatabaseMetrics{} 468 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:test123", "test.handle", db) 469 - store := NewManifestStore(ctx, nil) 470 471 manifest, err := store.Get(context.Background(), tt.digest) 472 if (err != nil) != tt.wantErr { ··· 487 } 488 } 489 490 - // TestManifestStore_Get_OnlyCountsGETRequests verifies that HEAD requests don't increment pull count 491 - func TestManifestStore_Get_OnlyCountsGETRequests(t *testing.T) { 492 - ociManifest := []byte(`{"schemaVersion":2}`) 493 - 494 - tests := []struct { 495 - name string 496 - httpMethod string 497 - expectPullIncrement bool 498 - }{ 499 - { 500 - name: "GET request increments pull count", 501 - httpMethod: "GET", 502 - expectPullIncrement: true, 503 - }, 504 - { 505 - name: "HEAD request does not increment pull count", 506 - httpMethod: "HEAD", 507 - expectPullIncrement: false, 508 - }, 509 - { 510 - name: "POST request does not increment pull count", 511 - httpMethod: "POST", 512 - expectPullIncrement: false, 513 - }, 514 - } 515 - 516 - for _, tt := range tests { 517 - t.Run(tt.name, func(t *testing.T) { 518 - server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 519 - if r.URL.Path == atproto.SyncGetBlob { 520 - w.Write(ociManifest) 521 - return 522 - } 523 - w.Write([]byte(`{ 524 - "uri": "at://did:plc:test123/io.atcr.manifest/abc123", 525 - "value": { 526 - "$type":"io.atcr.manifest", 527 - "holdDid":"did:web:hold01.atcr.io", 528 - "mediaType":"application/vnd.oci.image.manifest.v1+json", 529 - "manifestBlob":{"ref":{"$link":"bafytest"},"size":100} 530 - } 531 - }`)) 532 - })) 533 - defer server.Close() 534 - 535 - client := atproto.NewClient(server.URL, "did:plc:test123", "token") 536 - mockDB := &mockDatabaseMetrics{} 537 - ctx := mockRegistryContext(client, "myapp", "did:web:hold01.atcr.io", "did:plc:test123", "test.handle", mockDB) 538 - store := NewManifestStore(ctx, nil) 539 - 540 - // Create a context with the HTTP method stored (as distribution library does) 541 - testCtx := context.WithValue(context.Background(), "http.request.method", tt.httpMethod) 542 - 543 - _, err := store.Get(testCtx, "sha256:abc123") 544 - if err != nil { 545 - t.Fatalf("Get() error = %v", err) 546 - } 547 - 548 - // Wait for async goroutine to complete (metrics are incremented asynchronously) 549 - time.Sleep(50 * time.Millisecond) 550 - 551 - if tt.expectPullIncrement { 552 - // Check that IncrementPullCount was called 553 - if mockDB.getPullCount() == 0 { 554 - t.Error("Expected pull count to be incremented for GET request, but it wasn't") 555 - } 556 - } else { 557 - // Check that IncrementPullCount was NOT called 558 - if mockDB.getPullCount() > 0 { 559 - t.Errorf("Expected pull count NOT to be incremented for %s request, but it was (count=%d)", tt.httpMethod, mockDB.getPullCount()) 560 - } 561 - } 562 - }) 563 - } 564 - } 565 - 566 // TestManifestStore_Put tests storing manifests 567 func TestManifestStore_Put(t *testing.T) { 568 ociManifest := []byte(`{ ··· 654 })) 655 defer server.Close() 656 657 - client := atproto.NewClient(server.URL, "did:plc:test123", "token") 658 - db := &mockDatabaseMetrics{} 659 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:test123", "test.handle", db) 660 - store := NewManifestStore(ctx, nil) 661 662 dgst, err := store.Put(context.Background(), tt.manifest, tt.options...) 663 if (err != nil) != tt.wantErr { ··· 706 })) 707 defer server.Close() 708 709 - client := atproto.NewClient(server.URL, "did:plc:test123", "token") 710 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:test123", "test.handle", nil) 711 712 // Use config digest in manifest 713 ociManifestWithConfig := []byte(`{ ··· 722 payload: ociManifestWithConfig, 723 } 724 725 - store := NewManifestStore(ctx, blobStore) 726 727 _, err := store.Put(context.Background(), manifest) 728 if err != nil { ··· 782 })) 783 defer server.Close() 784 785 - client := atproto.NewClient(server.URL, "did:plc:test123", "token") 786 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:test123", "test.handle", nil) 787 - store := NewManifestStore(ctx, nil) 788 789 err := store.Delete(context.Background(), tt.digest) 790 if (err != nil) != tt.wantErr { ··· 938 })) 939 defer server.Close() 940 941 - client := atproto.NewClient(server.URL, "did:plc:test123", "token") 942 - db := &mockDatabaseMetrics{} 943 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:test123", "test.handle", db) 944 - store := NewManifestStore(ctx, nil) 945 946 manifest := &rawManifest{ 947 mediaType: "application/vnd.oci.image.index.v1+json", ··· 1015 })) 1016 defer server.Close() 1017 1018 - client := atproto.NewClient(server.URL, "did:plc:test123", "token") 1019 - ctx := mockRegistryContext(client, "myapp", "did:web:hold.example.com", "did:plc:test123", "test.handle", nil) 1020 - store := NewManifestStore(ctx, nil) 1021 1022 // Create manifest list with both children 1023 manifestList := []byte(`{

··· 8 "net/http" 9 "net/http/httptest" 10 "testing" 11 12 "atcr.io/pkg/atproto" 13 + "atcr.io/pkg/auth" 14 "github.com/distribution/distribution/v3" 15 "github.com/opencontainers/go-digest" 16 ) 17 18 // mockBlobStore is a minimal mock of distribution.BlobStore for testing 19 type mockBlobStore struct { 20 blobs map[digest.Digest][]byte ··· 70 return nil, nil // Not needed for current tests 71 } 72 73 + // mockUserContextForManifest creates a mock auth.UserContext for manifest store testing 74 + func mockUserContextForManifest(pdsEndpoint, repository, holdDID, ownerDID, ownerHandle string) *auth.UserContext { 75 + userCtx := auth.NewUserContext(ownerDID, "oauth", "PUT", nil) 76 + userCtx.SetTarget(ownerDID, ownerHandle, pdsEndpoint, repository, holdDID) 77 + return userCtx 78 } 79 80 // TestDigestToRKey tests digest to record key conversion ··· 108 109 // TestNewManifestStore tests creating a new manifest store 110 func TestNewManifestStore(t *testing.T) { 111 blobStore := newMockBlobStore() 112 + userCtx := mockUserContextForManifest( 113 + "https://pds.example.com", 114 + "myapp", 115 + "did:web:hold.example.com", 116 + "did:plc:alice123", 117 + "alice.test", 118 + ) 119 + store := NewManifestStore(userCtx, blobStore, nil) 120 121 + if store.ctx.TargetRepo != "myapp" { 122 + t.Errorf("repository = %v, want myapp", store.ctx.TargetRepo) 123 } 124 + if store.ctx.TargetHoldDID != "did:web:hold.example.com" { 125 + t.Errorf("holdDID = %v, want did:web:hold.example.com", store.ctx.TargetHoldDID) 126 } 127 + if store.ctx.TargetOwnerDID != "did:plc:alice123" { 128 + t.Errorf("did = %v, want did:plc:alice123", store.ctx.TargetOwnerDID) 129 } 130 + if store.ctx.TargetOwnerHandle != "alice.test" { 131 + t.Errorf("handle = %v, want alice.test", store.ctx.TargetOwnerHandle) 132 } 133 } 134 ··· 183 blobStore.blobs[configDigest] = configData 184 185 // Create manifest store 186 + userCtx := mockUserContextForManifest( 187 + "https://pds.example.com", 188 + "myapp", 189 + "", 190 + "did:plc:test123", 191 + "test.handle", 192 + ) 193 + store := NewManifestStore(userCtx, blobStore, nil) 194 195 // Extract labels 196 labels, err := store.extractConfigLabels(context.Background(), configDigest.String()) ··· 228 configDigest := digest.FromBytes(configData) 229 blobStore.blobs[configDigest] = configData 230 231 + userCtx := mockUserContextForManifest( 232 + "https://pds.example.com", 233 + "myapp", 234 + "", 235 + "did:plc:test123", 236 + "test.handle", 237 + ) 238 + store := NewManifestStore(userCtx, blobStore, nil) 239 240 labels, err := store.extractConfigLabels(context.Background(), configDigest.String()) 241 if err != nil { ··· 251 // TestExtractConfigLabels_InvalidDigest tests error handling for invalid digest 252 func TestExtractConfigLabels_InvalidDigest(t *testing.T) { 253 blobStore := newMockBlobStore() 254 + userCtx := mockUserContextForManifest( 255 + "https://pds.example.com", 256 + "myapp", 257 + "", 258 + "did:plc:test123", 259 + "test.handle", 260 + ) 261 + store := NewManifestStore(userCtx, blobStore, nil) 262 263 _, err := store.extractConfigLabels(context.Background(), "invalid-digest") 264 if err == nil { ··· 275 configDigest := digest.FromBytes(configData) 276 blobStore.blobs[configDigest] = configData 277 278 + userCtx := mockUserContextForManifest( 279 + "https://pds.example.com", 280 + "myapp", 281 + "", 282 + "did:plc:test123", 283 + "test.handle", 284 + ) 285 + store := NewManifestStore(userCtx, blobStore, nil) 286 287 _, err := store.extractConfigLabels(context.Background(), configDigest.String()) 288 if err == nil { ··· 290 } 291 } 292 293 + // TestManifestStore_WithoutDatabase tests that nil database is acceptable 294 + func TestManifestStore_WithoutDatabase(t *testing.T) { 295 + userCtx := mockUserContextForManifest( 296 + "https://pds.example.com", 297 + "myapp", 298 + "did:web:hold.example.com", 299 + "did:plc:alice123", 300 + "alice.test", 301 + ) 302 + store := NewManifestStore(userCtx, nil, nil) 303 + 304 + if store.sqlDB != nil { 305 t.Error("ManifestStore should accept nil database") 306 } 307 } ··· 351 })) 352 defer server.Close() 353 354 + userCtx := mockUserContextForManifest( 355 + server.URL, 356 + "myapp", 357 + "did:web:hold.example.com", 358 + "did:plc:test123", 359 + "test.handle", 360 + ) 361 + store := NewManifestStore(userCtx, nil, nil) 362 363 exists, err := store.Exists(context.Background(), tt.digest) 364 if (err != nil) != tt.wantErr { ··· 474 })) 475 defer server.Close() 476 477 + userCtx := mockUserContextForManifest( 478 + server.URL, 479 + "myapp", 480 + "did:web:hold.example.com", 481 + "did:plc:test123", 482 + "test.handle", 483 + ) 484 + store := NewManifestStore(userCtx, nil, nil) 485 486 manifest, err := store.Get(context.Background(), tt.digest) 487 if (err != nil) != tt.wantErr { ··· 502 } 503 } 504 505 // TestManifestStore_Put tests storing manifests 506 func TestManifestStore_Put(t *testing.T) { 507 ociManifest := []byte(`{ ··· 593 })) 594 defer server.Close() 595 596 + userCtx := mockUserContextForManifest( 597 + server.URL, 598 + "myapp", 599 + "did:web:hold.example.com", 600 + "did:plc:test123", 601 + "test.handle", 602 + ) 603 + store := NewManifestStore(userCtx, nil, nil) 604 605 dgst, err := store.Put(context.Background(), tt.manifest, tt.options...) 606 if (err != nil) != tt.wantErr { ··· 649 })) 650 defer server.Close() 651 652 + userCtx := mockUserContextForManifest( 653 + server.URL, 654 + "myapp", 655 + "did:web:hold.example.com", 656 + "did:plc:test123", 657 + "test.handle", 658 + ) 659 660 // Use config digest in manifest 661 ociManifestWithConfig := []byte(`{ ··· 670 payload: ociManifestWithConfig, 671 } 672 673 + store := NewManifestStore(userCtx, blobStore, nil) 674 675 _, err := store.Put(context.Background(), manifest) 676 if err != nil { ··· 730 })) 731 defer server.Close() 732 733 + userCtx := mockUserContextForManifest( 734 + server.URL, 735 + "myapp", 736 + "did:web:hold.example.com", 737 + "did:plc:test123", 738 + "test.handle", 739 + ) 740 + store := NewManifestStore(userCtx, nil, nil) 741 742 err := store.Delete(context.Background(), tt.digest) 743 if (err != nil) != tt.wantErr { ··· 891 })) 892 defer server.Close() 893 894 + userCtx := mockUserContextForManifest( 895 + server.URL, 896 + "myapp", 897 + "did:web:hold.example.com", 898 + "did:plc:test123", 899 + "test.handle", 900 + ) 901 + store := NewManifestStore(userCtx, nil, nil) 902 903 manifest := &rawManifest{ 904 mediaType: "application/vnd.oci.image.index.v1+json", ··· 972 })) 973 defer server.Close() 974 975 + userCtx := mockUserContextForManifest( 976 + server.URL, 977 + "myapp", 978 + "did:web:hold.example.com", 979 + "did:plc:test123", 980 + "test.handle", 981 + ) 982 + store := NewManifestStore(userCtx, nil, nil) 983 984 // Create manifest list with both children 985 manifestList := []byte(`{

+26 -28

pkg/appview/storage/proxy_blob_store.go

··· 12 "time" 13 14 "atcr.io/pkg/atproto" 15 "github.com/distribution/distribution/v3" 16 "github.com/distribution/distribution/v3/registry/api/errcode" 17 "github.com/opencontainers/go-digest" ··· 32 33 // ProxyBlobStore proxies blob requests to an external storage service 34 type ProxyBlobStore struct { 35 - ctx *RegistryContext // All context and services 36 - holdURL string // Resolved HTTP URL for XRPC requests 37 httpClient *http.Client 38 } 39 40 // NewProxyBlobStore creates a new proxy blob store 41 - func NewProxyBlobStore(ctx *RegistryContext) *ProxyBlobStore { 42 // Resolve DID to URL once at construction time 43 - holdURL := atproto.ResolveHoldURL(ctx.HoldDID) 44 45 - slog.Debug("NewProxyBlobStore created", "component", "proxy_blob_store", "hold_did", ctx.HoldDID, "hold_url", holdURL, "user_did", ctx.DID, "repo", ctx.Repository) 46 47 return &ProxyBlobStore{ 48 - ctx: ctx, 49 holdURL: holdURL, 50 httpClient: &http.Client{ 51 Timeout: 5 * time.Minute, // Timeout for presigned URL requests and uploads ··· 61 } 62 63 // doAuthenticatedRequest performs an HTTP request with service token authentication 64 - // Uses the service token from middleware to authenticate requests to the hold service 65 func (p *ProxyBlobStore) doAuthenticatedRequest(ctx context.Context, req *http.Request) (*http.Response, error) { 66 - // Use service token that middleware already validated and cached 67 - // Middleware fails fast with HTTP 401 if OAuth session is invalid 68 - if p.ctx.ServiceToken == "" { 69 // Should never happen - middleware validates OAuth before handlers run 70 slog.Error("No service token in context", "component", "proxy_blob_store", "did", p.ctx.DID) 71 return nil, fmt.Errorf("no service token available (middleware should have validated)") 72 } 73 74 // Add Bearer token to Authorization header 75 - req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", p.ctx.ServiceToken)) 76 77 return p.httpClient.Do(req) 78 } 79 80 // checkReadAccess validates that the user has read access to blobs in this hold 81 func (p *ProxyBlobStore) checkReadAccess(ctx context.Context) error { 82 - if p.ctx.Authorizer == nil { 83 - return nil // No authorization check if authorizer not configured 84 - } 85 - allowed, err := p.ctx.Authorizer.CheckReadAccess(ctx, p.ctx.HoldDID, p.ctx.DID) 86 if err != nil { 87 return fmt.Errorf("authorization check failed: %w", err) 88 } 89 - if !allowed { 90 // Return 403 Forbidden instead of masquerading as missing blob 91 return errcode.ErrorCodeDenied.WithMessage("read access denied") 92 } ··· 95 96 // checkWriteAccess validates that the user has write access to blobs in this hold 97 func (p *ProxyBlobStore) checkWriteAccess(ctx context.Context) error { 98 - if p.ctx.Authorizer == nil { 99 - return nil // No authorization check if authorizer not configured 100 - } 101 - 102 - slog.Debug("Checking write access", "component", "proxy_blob_store", "user_did", p.ctx.DID, "hold_did", p.ctx.HoldDID) 103 - allowed, err := p.ctx.Authorizer.CheckWriteAccess(ctx, p.ctx.HoldDID, p.ctx.DID) 104 if err != nil { 105 slog.Error("Authorization check error", "component", "proxy_blob_store", "error", err) 106 return fmt.Errorf("authorization check failed: %w", err) 107 } 108 - if !allowed { 109 - slog.Warn("Write access denied", "component", "proxy_blob_store", "user_did", p.ctx.DID, "hold_did", p.ctx.HoldDID) 110 - return errcode.ErrorCodeDenied.WithMessage(fmt.Sprintf("write access denied to hold %s", p.ctx.HoldDID)) 111 } 112 - slog.Debug("Write access allowed", "component", "proxy_blob_store", "user_did", p.ctx.DID, "hold_did", p.ctx.HoldDID) 113 return nil 114 } 115 ··· 356 // getPresignedURL returns the XRPC endpoint URL for blob operations 357 func (p *ProxyBlobStore) getPresignedURL(ctx context.Context, operation string, dgst digest.Digest) (string, error) { 358 // Use XRPC endpoint: /xrpc/com.atproto.sync.getBlob?did={userDID}&cid={digest} 359 - // The 'did' parameter is the USER's DID (whose blob we're fetching), not the hold service DID 360 // Per migration doc: hold accepts OCI digest directly as cid parameter (checks for sha256: prefix) 361 xrpcURL := fmt.Sprintf("%s%s?did=%s&cid=%s&method=%s", 362 - p.holdURL, atproto.SyncGetBlob, p.ctx.DID, dgst.String(), operation) 363 364 req, err := http.NewRequestWithContext(ctx, "GET", xrpcURL, nil) 365 if err != nil {

··· 12 "time" 13 14 "atcr.io/pkg/atproto" 15 + "atcr.io/pkg/auth" 16 "github.com/distribution/distribution/v3" 17 "github.com/distribution/distribution/v3/registry/api/errcode" 18 "github.com/opencontainers/go-digest" ··· 33 34 // ProxyBlobStore proxies blob requests to an external storage service 35 type ProxyBlobStore struct { 36 + ctx *auth.UserContext // User context with identity, target, permissions 37 + holdURL string // Resolved HTTP URL for XRPC requests 38 httpClient *http.Client 39 } 40 41 // NewProxyBlobStore creates a new proxy blob store 42 + func NewProxyBlobStore(userCtx *auth.UserContext) *ProxyBlobStore { 43 // Resolve DID to URL once at construction time 44 + holdURL := atproto.ResolveHoldURL(userCtx.TargetHoldDID) 45 46 + slog.Debug("NewProxyBlobStore created", "component", "proxy_blob_store", "hold_did", userCtx.TargetHoldDID, "hold_url", holdURL, "user_did", userCtx.TargetOwnerDID, "repo", userCtx.TargetRepo) 47 48 return &ProxyBlobStore{ 49 + ctx: userCtx, 50 holdURL: holdURL, 51 httpClient: &http.Client{ 52 Timeout: 5 * time.Minute, // Timeout for presigned URL requests and uploads ··· 62 } 63 64 // doAuthenticatedRequest performs an HTTP request with service token authentication 65 + // Uses the service token from UserContext to authenticate requests to the hold service 66 func (p *ProxyBlobStore) doAuthenticatedRequest(ctx context.Context, req *http.Request) (*http.Response, error) { 67 + // Get service token from UserContext (lazy-loaded and cached per holdDID) 68 + serviceToken, err := p.ctx.GetServiceToken(ctx) 69 + if err != nil { 70 + slog.Error("Failed to get service token", "component", "proxy_blob_store", "did", p.ctx.DID, "error", err) 71 + return nil, fmt.Errorf("failed to get service token: %w", err) 72 + } 73 + if serviceToken == "" { 74 // Should never happen - middleware validates OAuth before handlers run 75 slog.Error("No service token in context", "component", "proxy_blob_store", "did", p.ctx.DID) 76 return nil, fmt.Errorf("no service token available (middleware should have validated)") 77 } 78 79 // Add Bearer token to Authorization header 80 + req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", serviceToken)) 81 82 return p.httpClient.Do(req) 83 } 84 85 // checkReadAccess validates that the user has read access to blobs in this hold 86 func (p *ProxyBlobStore) checkReadAccess(ctx context.Context) error { 87 + canRead, err := p.ctx.CanRead(ctx) 88 if err != nil { 89 return fmt.Errorf("authorization check failed: %w", err) 90 } 91 + if !canRead { 92 // Return 403 Forbidden instead of masquerading as missing blob 93 return errcode.ErrorCodeDenied.WithMessage("read access denied") 94 } ··· 97 98 // checkWriteAccess validates that the user has write access to blobs in this hold 99 func (p *ProxyBlobStore) checkWriteAccess(ctx context.Context) error { 100 + slog.Debug("Checking write access", "component", "proxy_blob_store", "user_did", p.ctx.DID, "hold_did", p.ctx.TargetHoldDID) 101 + canWrite, err := p.ctx.CanWrite(ctx) 102 if err != nil { 103 slog.Error("Authorization check error", "component", "proxy_blob_store", "error", err) 104 return fmt.Errorf("authorization check failed: %w", err) 105 } 106 + if !canWrite { 107 + slog.Warn("Write access denied", "component", "proxy_blob_store", "user_did", p.ctx.DID, "hold_did", p.ctx.TargetHoldDID) 108 + return errcode.ErrorCodeDenied.WithMessage(fmt.Sprintf("write access denied to hold %s", p.ctx.TargetHoldDID)) 109 } 110 + slog.Debug("Write access allowed", "component", "proxy_blob_store", "user_did", p.ctx.DID, "hold_did", p.ctx.TargetHoldDID) 111 return nil 112 } 113 ··· 354 // getPresignedURL returns the XRPC endpoint URL for blob operations 355 func (p *ProxyBlobStore) getPresignedURL(ctx context.Context, operation string, dgst digest.Digest) (string, error) { 356 // Use XRPC endpoint: /xrpc/com.atproto.sync.getBlob?did={userDID}&cid={digest} 357 + // The 'did' parameter is the TARGET OWNER's DID (whose blob we're fetching), not the hold service DID 358 // Per migration doc: hold accepts OCI digest directly as cid parameter (checks for sha256: prefix) 359 xrpcURL := fmt.Sprintf("%s%s?did=%s&cid=%s&method=%s", 360 + p.holdURL, atproto.SyncGetBlob, p.ctx.TargetOwnerDID, dgst.String(), operation) 361 362 req, err := http.NewRequestWithContext(ctx, "GET", xrpcURL, nil) 363 if err != nil {

+67 -409

pkg/appview/storage/proxy_blob_store_test.go

··· 1 package storage 2 3 import ( 4 - "context" 5 "encoding/base64" 6 - "encoding/json" 7 "fmt" 8 - "net/http" 9 - "net/http/httptest" 10 "strings" 11 "testing" 12 "time" 13 14 "atcr.io/pkg/atproto" 15 "atcr.io/pkg/auth" 16 - "github.com/opencontainers/go-digest" 17 ) 18 19 - // TestGetServiceToken_CachingLogic tests the token caching mechanism 20 func TestGetServiceToken_CachingLogic(t *testing.T) { 21 - userDID := "did:plc:test" 22 holdDID := "did:web:hold.example.com" 23 24 // Test 1: Empty cache - invalidate any existing token ··· 30 31 // Test 2: Insert token into cache 32 // Create a JWT-like token with exp claim for testing 33 - // Format: header.payload.signature where payload has exp claim 34 testPayload := fmt.Sprintf(`{"exp":%d}`, time.Now().Add(50*time.Second).Unix()) 35 testToken := "eyJhbGciOiJIUzI1NiJ9." + base64URLEncode(testPayload) + ".signature" 36 ··· 70 return strings.TrimRight(base64.URLEncoding.EncodeToString([]byte(data)), "=") 71 } 72 73 - // TestServiceToken_EmptyInContext tests that operations fail when service token is missing 74 - func TestServiceToken_EmptyInContext(t *testing.T) { 75 - ctx := &RegistryContext{ 76 - DID: "did:plc:test", 77 - HoldDID: "did:web:hold.example.com", 78 - PDSEndpoint: "https://pds.example.com", 79 - Repository: "test-repo", 80 - ServiceToken: "", // No service token (middleware didn't set it) 81 - Refresher: nil, 82 - } 83 84 - store := NewProxyBlobStore(ctx) 85 86 - // Try a write operation that requires authentication 87 - testDigest := digest.FromString("test-content") 88 - _, err := store.Stat(context.Background(), testDigest) 89 90 - // Should fail because no service token is available 91 - if err == nil { 92 - t.Error("Expected error when service token is empty") 93 - } 94 95 - // Error should indicate authentication issue 96 - if !strings.Contains(err.Error(), "UNAUTHORIZED") && !strings.Contains(err.Error(), "authentication") { 97 - t.Logf("Got error (acceptable): %v", err) 98 - } 99 } 100 101 - // TestDoAuthenticatedRequest_BearerTokenInjection tests that Bearer tokens are added to requests 102 - func TestDoAuthenticatedRequest_BearerTokenInjection(t *testing.T) { 103 - // This test verifies the Bearer token injection logic 104 - 105 - testToken := "test-bearer-token-xyz" 106 - 107 - // Create a test server to verify the Authorization header 108 - var receivedAuthHeader string 109 - testServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 110 - receivedAuthHeader = r.Header.Get("Authorization") 111 - w.WriteHeader(http.StatusOK) 112 - })) 113 - defer testServer.Close() 114 - 115 - // Create ProxyBlobStore with service token in context (set by middleware) 116 - ctx := &RegistryContext{ 117 - DID: "did:plc:bearer-test", 118 - HoldDID: "did:web:hold.example.com", 119 - PDSEndpoint: "https://pds.example.com", 120 - Repository: "test-repo", 121 - ServiceToken: testToken, // Service token from middleware 122 - Refresher: nil, 123 - } 124 - 125 - store := NewProxyBlobStore(ctx) 126 - 127 - // Create request 128 - req, err := http.NewRequest(http.MethodGet, testServer.URL+"/test", nil) 129 - if err != nil { 130 - t.Fatalf("Failed to create request: %v", err) 131 - } 132 - 133 - // Do authenticated request 134 - resp, err := store.doAuthenticatedRequest(context.Background(), req) 135 - if err != nil { 136 - t.Fatalf("doAuthenticatedRequest failed: %v", err) 137 - } 138 - defer resp.Body.Close() 139 - 140 - // Verify Bearer token was added 141 - expectedHeader := "Bearer " + testToken 142 - if receivedAuthHeader != expectedHeader { 143 - t.Errorf("Expected Authorization header %s, got %s", expectedHeader, receivedAuthHeader) 144 - } 145 } 146 147 - // TestDoAuthenticatedRequest_ErrorWhenTokenUnavailable tests that authentication failures return proper errors 148 - func TestDoAuthenticatedRequest_ErrorWhenTokenUnavailable(t *testing.T) { 149 - // Create test server (should not be called since auth fails first) 150 - called := false 151 - testServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 152 - called = true 153 - w.WriteHeader(http.StatusOK) 154 - })) 155 - defer testServer.Close() 156 - 157 - // Create ProxyBlobStore without service token (middleware didn't set it) 158 - ctx := &RegistryContext{ 159 - DID: "did:plc:fallback", 160 - HoldDID: "did:web:hold.example.com", 161 - PDSEndpoint: "https://pds.example.com", 162 - Repository: "test-repo", 163 - ServiceToken: "", // No service token 164 - Refresher: nil, 165 - } 166 - 167 - store := NewProxyBlobStore(ctx) 168 - 169 - // Create request 170 - req, err := http.NewRequest(http.MethodGet, testServer.URL+"/test", nil) 171 - if err != nil { 172 - t.Fatalf("Failed to create request: %v", err) 173 - } 174 - 175 - // Do authenticated request - should fail when no service token 176 - resp, err := store.doAuthenticatedRequest(context.Background(), req) 177 - if err == nil { 178 - t.Fatal("Expected doAuthenticatedRequest to fail when no service token is available") 179 - } 180 - if resp != nil { 181 - resp.Body.Close() 182 - } 183 - 184 - // Verify error indicates authentication/authorization issue 185 - errStr := err.Error() 186 - if !strings.Contains(errStr, "service token") && !strings.Contains(errStr, "UNAUTHORIZED") { 187 - t.Errorf("Expected service token or unauthorized error, got: %v", err) 188 - } 189 - 190 - if called { 191 - t.Error("Expected request to NOT be made when authentication fails") 192 - } 193 - } 194 - 195 - // TestResolveHoldURL tests DID to URL conversion 196 func TestResolveHoldURL(t *testing.T) { 197 tests := []struct { 198 name string ··· 200 expected string 201 }{ 202 { 203 - name: "did:web with http (TEST_MODE)", 204 holdDID: "did:web:localhost:8080", 205 expected: "http://localhost:8080", 206 }, ··· 228 229 // TestServiceTokenCacheExpiry tests that expired cached tokens are not used 230 func TestServiceTokenCacheExpiry(t *testing.T) { 231 - userDID := "did:plc:expiry" 232 holdDID := "did:web:hold.example.com" 233 234 // Insert expired token ··· 272 273 // TestNewProxyBlobStore tests ProxyBlobStore creation 274 func TestNewProxyBlobStore(t *testing.T) { 275 - ctx := &RegistryContext{ 276 - DID: "did:plc:test", 277 - HoldDID: "did:web:hold.example.com", 278 - PDSEndpoint: "https://pds.example.com", 279 - Repository: "test-repo", 280 - } 281 282 - store := NewProxyBlobStore(ctx) 283 284 if store == nil { 285 t.Fatal("Expected non-nil ProxyBlobStore") 286 } 287 288 - if store.ctx != ctx { 289 t.Error("Expected context to be set") 290 } 291 ··· 321 } 322 } 323 324 - // TestCompleteMultipartUpload_JSONFormat verifies the JSON request format sent to hold service 325 - // This test would have caught the "partNumber" vs "part_number" bug 326 - func TestCompleteMultipartUpload_JSONFormat(t *testing.T) { 327 - var capturedBody map[string]any 328 - 329 - // Mock hold service that captures the request body 330 - holdServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 331 - if !strings.Contains(r.URL.Path, atproto.HoldCompleteUpload) { 332 - t.Errorf("Wrong endpoint called: %s", r.URL.Path) 333 - } 334 - 335 - // Capture request body 336 - var body map[string]any 337 - if err := json.NewDecoder(r.Body).Decode(&body); err != nil { 338 - t.Errorf("Failed to decode request body: %v", err) 339 - } 340 - capturedBody = body 341 - 342 - w.Header().Set("Content-Type", "application/json") 343 - w.WriteHeader(http.StatusOK) 344 - w.Write([]byte(`{}`)) 345 - })) 346 - defer holdServer.Close() 347 - 348 - // Create store with mocked hold URL 349 - ctx := &RegistryContext{ 350 - DID: "did:plc:test", 351 - HoldDID: "did:web:hold.example.com", 352 - PDSEndpoint: "https://pds.example.com", 353 - Repository: "test-repo", 354 - ServiceToken: "test-service-token", // Service token from middleware 355 - } 356 - store := NewProxyBlobStore(ctx) 357 - store.holdURL = holdServer.URL 358 - 359 - // Call completeMultipartUpload 360 - parts := []CompletedPart{ 361 - {PartNumber: 1, ETag: "etag-1"}, 362 - {PartNumber: 2, ETag: "etag-2"}, 363 - } 364 - err := store.completeMultipartUpload(context.Background(), "sha256:abc123", "upload-id-xyz", parts) 365 - if err != nil { 366 - t.Fatalf("completeMultipartUpload failed: %v", err) 367 - } 368 - 369 - // Verify JSON format 370 - if capturedBody == nil { 371 - t.Fatal("No request body was captured") 372 - } 373 - 374 - // Check top-level fields 375 - if uploadID, ok := capturedBody["uploadId"].(string); !ok || uploadID != "upload-id-xyz" { 376 - t.Errorf("Expected uploadId='upload-id-xyz', got %v", capturedBody["uploadId"]) 377 - } 378 - if digest, ok := capturedBody["digest"].(string); !ok || digest != "sha256:abc123" { 379 - t.Errorf("Expected digest='sha256:abc123', got %v", capturedBody["digest"]) 380 - } 381 - 382 - // Check parts array 383 - partsArray, ok := capturedBody["parts"].([]any) 384 - if !ok { 385 - t.Fatalf("Expected parts to be array, got %T", capturedBody["parts"]) 386 - } 387 - if len(partsArray) != 2 { 388 - t.Fatalf("Expected 2 parts, got %d", len(partsArray)) 389 - } 390 - 391 - // Verify first part has "part_number" (not "partNumber") 392 - part0, ok := partsArray[0].(map[string]any) 393 - if !ok { 394 - t.Fatalf("Expected part to be object, got %T", partsArray[0]) 395 - } 396 - 397 - // THIS IS THE KEY CHECK - would have caught the bug 398 - if _, hasPartNumber := part0["partNumber"]; hasPartNumber { 399 - t.Error("Found 'partNumber' (camelCase) - should be 'part_number' (snake_case)") 400 - } 401 - if partNum, ok := part0["part_number"].(float64); !ok || int(partNum) != 1 { 402 - t.Errorf("Expected part_number=1, got %v", part0["part_number"]) 403 - } 404 - if etag, ok := part0["etag"].(string); !ok || etag != "etag-1" { 405 - t.Errorf("Expected etag='etag-1', got %v", part0["etag"]) 406 - } 407 - } 408 - 409 - // TestGet_UsesPresignedURLDirectly verifies that Get() doesn't add auth headers to presigned URLs 410 - // This test would have caught the presigned URL authentication bug 411 - func TestGet_UsesPresignedURLDirectly(t *testing.T) { 412 - blobData := []byte("test blob content") 413 - var s3ReceivedAuthHeader string 414 - 415 - // Mock S3 server that rejects requests with Authorization header 416 - s3Server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 417 - s3ReceivedAuthHeader = r.Header.Get("Authorization") 418 - 419 - // Presigned URLs should NOT have Authorization header 420 - if s3ReceivedAuthHeader != "" { 421 - t.Errorf("S3 received Authorization header: %s (should be empty for presigned URLs)", s3ReceivedAuthHeader) 422 - w.WriteHeader(http.StatusForbidden) 423 - w.Write([]byte(`<?xml version="1.0"?><Error><Code>SignatureDoesNotMatch</Code></Error>`)) 424 - return 425 - } 426 - 427 - // Return blob data 428 - w.WriteHeader(http.StatusOK) 429 - w.Write(blobData) 430 - })) 431 - defer s3Server.Close() 432 - 433 - // Mock hold service that returns presigned S3 URL 434 - holdServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 435 - // Return presigned URL pointing to S3 server 436 - w.Header().Set("Content-Type", "application/json") 437 - w.WriteHeader(http.StatusOK) 438 - resp := map[string]string{ 439 - "url": s3Server.URL + "/blob?X-Amz-Signature=fake-signature", 440 - } 441 - json.NewEncoder(w).Encode(resp) 442 - })) 443 - defer holdServer.Close() 444 - 445 - // Create store with service token in context 446 - ctx := &RegistryContext{ 447 - DID: "did:plc:test", 448 - HoldDID: "did:web:hold.example.com", 449 - PDSEndpoint: "https://pds.example.com", 450 - Repository: "test-repo", 451 - ServiceToken: "test-service-token", // Service token from middleware 452 - } 453 - store := NewProxyBlobStore(ctx) 454 - store.holdURL = holdServer.URL 455 - 456 - // Call Get() 457 - dgst := digest.FromBytes(blobData) 458 - retrieved, err := store.Get(context.Background(), dgst) 459 - if err != nil { 460 - t.Fatalf("Get() failed: %v", err) 461 - } 462 - 463 - // Verify correct data was retrieved 464 - if string(retrieved) != string(blobData) { 465 - t.Errorf("Expected data=%s, got %s", string(blobData), string(retrieved)) 466 - } 467 - 468 - // Verify S3 received NO Authorization header 469 - if s3ReceivedAuthHeader != "" { 470 - t.Errorf("S3 should not receive Authorization header for presigned URLs, got: %s", s3ReceivedAuthHeader) 471 - } 472 - } 473 - 474 - // TestOpen_UsesPresignedURLDirectly verifies that Open() doesn't add auth headers to presigned URLs 475 - // This test would have caught the presigned URL authentication bug 476 - func TestOpen_UsesPresignedURLDirectly(t *testing.T) { 477 - blobData := []byte("test blob stream content") 478 - var s3ReceivedAuthHeader string 479 - 480 - // Mock S3 server 481 - s3Server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 482 - s3ReceivedAuthHeader = r.Header.Get("Authorization") 483 - 484 - // Presigned URLs should NOT have Authorization header 485 - if s3ReceivedAuthHeader != "" { 486 - t.Errorf("S3 received Authorization header: %s (should be empty)", s3ReceivedAuthHeader) 487 - w.WriteHeader(http.StatusForbidden) 488 - return 489 - } 490 - 491 - w.WriteHeader(http.StatusOK) 492 - w.Write(blobData) 493 - })) 494 - defer s3Server.Close() 495 - 496 - // Mock hold service 497 - holdServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 498 - w.Header().Set("Content-Type", "application/json") 499 - w.WriteHeader(http.StatusOK) 500 - json.NewEncoder(w).Encode(map[string]string{ 501 - "url": s3Server.URL + "/blob?X-Amz-Signature=fake", 502 - }) 503 - })) 504 - defer holdServer.Close() 505 - 506 - // Create store with service token in context 507 - ctx := &RegistryContext{ 508 - DID: "did:plc:test", 509 - HoldDID: "did:web:hold.example.com", 510 - PDSEndpoint: "https://pds.example.com", 511 - Repository: "test-repo", 512 - ServiceToken: "test-service-token", // Service token from middleware 513 - } 514 - store := NewProxyBlobStore(ctx) 515 - store.holdURL = holdServer.URL 516 517 - // Call Open() 518 - dgst := digest.FromBytes(blobData) 519 - reader, err := store.Open(context.Background(), dgst) 520 if err != nil { 521 - t.Fatalf("Open() failed: %v", err) 522 } 523 - defer reader.Close() 524 525 - // Verify S3 received NO Authorization header 526 - if s3ReceivedAuthHeader != "" { 527 - t.Errorf("S3 should not receive Authorization header for presigned URLs, got: %s", s3ReceivedAuthHeader) 528 } 529 } 530 531 - // TestMultipartEndpoints_CorrectURLs verifies all multipart XRPC endpoints use correct URLs 532 - // This would have caught the old com.atproto.repo.uploadBlob vs new io.atcr.hold.* endpoints 533 - func TestMultipartEndpoints_CorrectURLs(t *testing.T) { 534 tests := []struct { 535 - name string 536 - testFunc func(*ProxyBlobStore) error 537 - expectedPath string 538 }{ 539 - { 540 - name: "startMultipartUpload", 541 - testFunc: func(store *ProxyBlobStore) error { 542 - _, err := store.startMultipartUpload(context.Background(), "sha256:test") 543 - return err 544 - }, 545 - expectedPath: atproto.HoldInitiateUpload, 546 - }, 547 - { 548 - name: "getPartUploadInfo", 549 - testFunc: func(store *ProxyBlobStore) error { 550 - _, err := store.getPartUploadInfo(context.Background(), "sha256:test", "upload-123", 1) 551 - return err 552 - }, 553 - expectedPath: atproto.HoldGetPartUploadURL, 554 - }, 555 - { 556 - name: "completeMultipartUpload", 557 - testFunc: func(store *ProxyBlobStore) error { 558 - parts := []CompletedPart{{PartNumber: 1, ETag: "etag1"}} 559 - return store.completeMultipartUpload(context.Background(), "sha256:test", "upload-123", parts) 560 - }, 561 - expectedPath: atproto.HoldCompleteUpload, 562 - }, 563 - { 564 - name: "abortMultipartUpload", 565 - testFunc: func(store *ProxyBlobStore) error { 566 - return store.abortMultipartUpload(context.Background(), "sha256:test", "upload-123") 567 - }, 568 - expectedPath: atproto.HoldAbortUpload, 569 - }, 570 } 571 572 for _, tt := range tests { 573 t.Run(tt.name, func(t *testing.T) { 574 - var capturedPath string 575 - 576 - // Mock hold service that captures request path 577 - holdServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 578 - capturedPath = r.URL.Path 579 - 580 - // Return success response 581 - w.Header().Set("Content-Type", "application/json") 582 - w.WriteHeader(http.StatusOK) 583 - resp := map[string]string{ 584 - "uploadId": "test-upload-id", 585 - "url": "https://s3.example.com/presigned", 586 - } 587 - json.NewEncoder(w).Encode(resp) 588 - })) 589 - defer holdServer.Close() 590 - 591 - // Create store with service token in context 592 - ctx := &RegistryContext{ 593 - DID: "did:plc:test", 594 - HoldDID: "did:web:hold.example.com", 595 - PDSEndpoint: "https://pds.example.com", 596 - Repository: "test-repo", 597 - ServiceToken: "test-service-token", // Service token from middleware 598 - } 599 - store := NewProxyBlobStore(ctx) 600 - store.holdURL = holdServer.URL 601 - 602 - // Call the function 603 - _ = tt.testFunc(store) // Ignore error, we just care about the URL 604 - 605 - // Verify correct endpoint was called 606 - if capturedPath != tt.expectedPath { 607 - t.Errorf("Expected endpoint %s, got %s", tt.expectedPath, capturedPath) 608 - } 609 - 610 - // Verify it's NOT the old endpoint 611 - if strings.Contains(capturedPath, "com.atproto.repo.uploadBlob") { 612 - t.Error("Still using old com.atproto.repo.uploadBlob endpoint!") 613 } 614 }) 615 } 616 }

··· 1 package storage 2 3 import ( 4 "encoding/base64" 5 "fmt" 6 "strings" 7 "testing" 8 "time" 9 10 "atcr.io/pkg/atproto" 11 "atcr.io/pkg/auth" 12 ) 13 14 + // TestGetServiceToken_CachingLogic tests the global service token caching mechanism 15 + // These tests use the global auth cache functions directly 16 func TestGetServiceToken_CachingLogic(t *testing.T) { 17 + userDID := "did:plc:cache-test" 18 holdDID := "did:web:hold.example.com" 19 20 // Test 1: Empty cache - invalidate any existing token ··· 26 27 // Test 2: Insert token into cache 28 // Create a JWT-like token with exp claim for testing 29 testPayload := fmt.Sprintf(`{"exp":%d}`, time.Now().Add(50*time.Second).Unix()) 30 testToken := "eyJhbGciOiJIUzI1NiJ9." + base64URLEncode(testPayload) + ".signature" 31 ··· 65 return strings.TrimRight(base64.URLEncoding.EncodeToString([]byte(data)), "=") 66 } 67 68 + // mockUserContextForProxy creates a mock auth.UserContext for proxy blob store testing. 69 + // It sets up both the user identity and target info, and configures test helpers 70 + // to bypass network calls. 71 + func mockUserContextForProxy(did, holdDID, pdsEndpoint, repository string) *auth.UserContext { 72 + userCtx := auth.NewUserContext(did, "oauth", "PUT", nil) 73 + userCtx.SetTarget(did, "test.handle", pdsEndpoint, repository, holdDID) 74 75 + // Bypass PDS resolution (avoids network calls) 76 + userCtx.SetPDSForTest("test.handle", pdsEndpoint) 77 78 + // Set up mock authorizer that allows access 79 + userCtx.SetAuthorizerForTest(auth.NewMockHoldAuthorizer()) 80 81 + // Set default hold DID for push resolution 82 + userCtx.SetDefaultHoldDIDForTest(holdDID) 83 84 + return userCtx 85 } 86 87 + // mockUserContextForProxyWithToken creates a mock UserContext with a pre-populated service token. 88 + func mockUserContextForProxyWithToken(did, holdDID, pdsEndpoint, repository, serviceToken string) *auth.UserContext { 89 + userCtx := mockUserContextForProxy(did, holdDID, pdsEndpoint, repository) 90 + userCtx.SetServiceTokenForTest(holdDID, serviceToken) 91 + return userCtx 92 } 93 94 + // TestResolveHoldURL tests DID to URL conversion (pure function) 95 func TestResolveHoldURL(t *testing.T) { 96 tests := []struct { 97 name string ··· 99 expected string 100 }{ 101 { 102 + name: "did:web with http (localhost)", 103 holdDID: "did:web:localhost:8080", 104 expected: "http://localhost:8080", 105 }, ··· 127 128 // TestServiceTokenCacheExpiry tests that expired cached tokens are not used 129 func TestServiceTokenCacheExpiry(t *testing.T) { 130 + userDID := "did:plc:expiry-test" 131 holdDID := "did:web:hold.example.com" 132 133 // Insert expired token ··· 171 172 // TestNewProxyBlobStore tests ProxyBlobStore creation 173 func TestNewProxyBlobStore(t *testing.T) { 174 + userCtx := mockUserContextForProxy( 175 + "did:plc:test", 176 + "did:web:hold.example.com", 177 + "https://pds.example.com", 178 + "test-repo", 179 + ) 180 181 + store := NewProxyBlobStore(userCtx) 182 183 if store == nil { 184 t.Fatal("Expected non-nil ProxyBlobStore") 185 } 186 187 + if store.ctx != userCtx { 188 t.Error("Expected context to be set") 189 } 190 ··· 220 } 221 } 222 223 + // TestParseJWTExpiry tests JWT expiry parsing 224 + func TestParseJWTExpiry(t *testing.T) { 225 + // Create a JWT with known expiry 226 + futureTime := time.Now().Add(1 * time.Hour).Unix() 227 + testPayload := fmt.Sprintf(`{"exp":%d}`, futureTime) 228 + testToken := "eyJhbGciOiJIUzI1NiJ9." + base64URLEncode(testPayload) + ".signature" 229 230 + expiry, err := auth.ParseJWTExpiry(testToken) 231 if err != nil { 232 + t.Fatalf("ParseJWTExpiry failed: %v", err) 233 } 234 235 + // Verify expiry is close to what we set (within 1 second tolerance) 236 + expectedExpiry := time.Unix(futureTime, 0) 237 + diff := expiry.Sub(expectedExpiry) 238 + if diff < -time.Second || diff > time.Second { 239 + t.Errorf("Expiry mismatch: expected %v, got %v", expectedExpiry, expiry) 240 } 241 } 242 243 + // TestParseJWTExpiry_InvalidToken tests error handling for invalid tokens 244 + func TestParseJWTExpiry_InvalidToken(t *testing.T) { 245 tests := []struct { 246 + name string 247 + token string 248 }{ 249 + {"empty token", ""}, 250 + {"single part", "header"}, 251 + {"two parts", "header.payload"}, 252 + {"invalid base64 payload", "header.!!!.signature"}, 253 + {"missing exp claim", "eyJhbGciOiJIUzI1NiJ9." + base64URLEncode(`{"sub":"test"}`) + ".sig"}, 254 } 255 256 for _, tt := range tests { 257 t.Run(tt.name, func(t *testing.T) { 258 + _, err := auth.ParseJWTExpiry(tt.token) 259 + if err == nil { 260 + t.Error("Expected error for invalid token") 261 } 262 }) 263 } 264 } 265 + 266 + // Note: Tests for doAuthenticatedRequest, Get, Open, completeMultipartUpload, etc. 267 + // require complex dependency mocking (OAuth refresher, PDS resolution, HoldAuthorizer). 268 + // These should be tested at the integration level with proper infrastructure. 269 + // 270 + // The current unit tests cover: 271 + // - Global service token cache (auth.GetServiceToken, auth.SetServiceToken, etc.) 272 + // - URL resolution (atproto.ResolveHoldURL) 273 + // - JWT parsing (auth.ParseJWTExpiry) 274 + // - Store construction (NewProxyBlobStore)

+39 -58

pkg/appview/storage/routing_repository.go

··· 6 7 import ( 8 "context" 9 "log/slog" 10 11 "github.com/distribution/distribution/v3" 12 ) 13 14 - // RoutingRepository routes manifests to ATProto and blobs to external hold service 15 - // The registry (AppView) is stateless and NEVER stores blobs locally 16 - // NOTE: A fresh instance is created per-request (see middleware/registry.go) 17 - // so no mutex is needed - each request has its own instance 18 type RoutingRepository struct { 19 distribution.Repository 20 - Ctx *RegistryContext // All context and services (exported for token updates) 21 - manifestStore *ManifestStore // Manifest store instance (lazy-initialized) 22 - blobStore *ProxyBlobStore // Blob store instance (lazy-initialized) 23 } 24 25 // NewRoutingRepository creates a new routing repository 26 - func NewRoutingRepository(baseRepo distribution.Repository, ctx *RegistryContext) *RoutingRepository { 27 return &RoutingRepository{ 28 Repository: baseRepo, 29 - Ctx: ctx, 30 } 31 } 32 33 // Manifests returns the ATProto-backed manifest service 34 func (r *RoutingRepository) Manifests(ctx context.Context, options ...distribution.ManifestServiceOption) (distribution.ManifestService, error) { 35 - // Lazy-initialize manifest store (no mutex needed - one instance per request) 36 - if r.manifestStore == nil { 37 - // Ensure blob store is created first (needed for label extraction during push) 38 - blobStore := r.Blobs(ctx) 39 - r.manifestStore = NewManifestStore(r.Ctx, blobStore) 40 - } 41 - return r.manifestStore, nil 42 } 43 44 // Blobs returns a proxy blob store that routes to external hold service 45 - // The registry (AppView) NEVER stores blobs locally - all blobs go through hold service 46 func (r *RoutingRepository) Blobs(ctx context.Context) distribution.BlobStore { 47 - // Return cached blob store if available (no mutex needed - one instance per request) 48 - if r.blobStore != nil { 49 - slog.Debug("Returning cached blob store", "component", "storage/blobs", "did", r.Ctx.DID, "repo", r.Ctx.Repository) 50 - return r.blobStore 51 - } 52 - 53 - // Determine if this is a pull (GET/HEAD) or push (PUT/POST/etc) operation 54 - // Pull operations use the historical hold DID from the database (blobs are where they were pushed) 55 - // Push operations use the discovery-based hold DID from user's profile/default 56 - // This allows users to change their default hold and have new pushes go there 57 - isPull := false 58 - if method, ok := ctx.Value("http.request.method").(string); ok { 59 - isPull = method == "GET" || method == "HEAD" 60 - } 61 - 62 - holdDID := r.Ctx.HoldDID // Default to discovery-based DID 63 - holdSource := "discovery" 64 - 65 - // Only query database for pull operations 66 - if isPull && r.Ctx.Database != nil { 67 - // Query database for the latest manifest's hold DID 68 - if dbHoldDID, err := r.Ctx.Database.GetLatestHoldDIDForRepo(r.Ctx.DID, r.Ctx.Repository); err == nil && dbHoldDID != "" { 69 - // Use hold DID from database (pull case - use historical reference) 70 - holdDID = dbHoldDID 71 - holdSource = "database" 72 - slog.Debug("Using hold from database manifest (pull)", "component", "storage/blobs", "did", r.Ctx.DID, "repo", r.Ctx.Repository, "hold", dbHoldDID) 73 - } else if err != nil { 74 - // Log error but don't fail - fall back to discovery-based DID 75 - slog.Warn("Failed to query database for hold DID", "component", "storage/blobs", "error", err) 76 - } 77 - // If dbHoldDID is empty (no manifests yet), fall through to use discovery-based DID 78 } 79 80 if holdDID == "" { 81 - // This should never happen if middleware is configured correctly 82 - panic("hold DID not set in RegistryContext - ensure default_hold_did is configured in middleware") 83 } 84 85 - slog.Debug("Using hold DID for blobs", "component", "storage/blobs", "did", r.Ctx.DID, "repo", r.Ctx.Repository, "hold", holdDID, "source", holdSource) 86 87 - // Update context with the correct hold DID (may be from database or discovered) 88 - r.Ctx.HoldDID = holdDID 89 - 90 - // Create and cache proxy blob store 91 - r.blobStore = NewProxyBlobStore(r.Ctx) 92 - return r.blobStore 93 } 94 95 // Tags returns the tag service 96 // Tags are stored in ATProto as io.atcr.tag records 97 func (r *RoutingRepository) Tags(ctx context.Context) distribution.TagService { 98 - return NewTagStore(r.Ctx.ATProtoClient, r.Ctx.Repository) 99 }

··· 6 7 import ( 8 "context" 9 + "database/sql" 10 "log/slog" 11 12 + "atcr.io/pkg/auth" 13 "github.com/distribution/distribution/v3" 14 + "github.com/distribution/reference" 15 ) 16 17 + // RoutingRepository routes manifests to ATProto and blobs to external hold service. 18 + // The registry (AppView) is stateless and NEVER stores blobs locally. 19 + // A new instance is created per HTTP request - no caching or synchronization needed. 20 type RoutingRepository struct { 21 distribution.Repository 22 + userCtx *auth.UserContext 23 + sqlDB *sql.DB 24 } 25 26 // NewRoutingRepository creates a new routing repository 27 + func NewRoutingRepository(baseRepo distribution.Repository, userCtx *auth.UserContext, sqlDB *sql.DB) *RoutingRepository { 28 return &RoutingRepository{ 29 Repository: baseRepo, 30 + userCtx: userCtx, 31 + sqlDB: sqlDB, 32 } 33 } 34 35 // Manifests returns the ATProto-backed manifest service 36 func (r *RoutingRepository) Manifests(ctx context.Context, options ...distribution.ManifestServiceOption) (distribution.ManifestService, error) { 37 + // blobStore used to fetch labels from th 38 + blobStore := r.Blobs(ctx) 39 + return NewManifestStore(r.userCtx, blobStore, r.sqlDB), nil 40 } 41 42 // Blobs returns a proxy blob store that routes to external hold service 43 func (r *RoutingRepository) Blobs(ctx context.Context) distribution.BlobStore { 44 + // Resolve hold DID: pull uses DB lookup, push uses profile discovery 45 + holdDID, err := r.userCtx.ResolveHoldDID(ctx, r.sqlDB) 46 + if err != nil { 47 + slog.Warn("Failed to resolve hold DID", "component", "storage/blobs", "error", err) 48 + holdDID = r.userCtx.TargetHoldDID 49 } 50 51 if holdDID == "" { 52 + panic("hold DID not set - ensure default_hold_did is configured in middleware") 53 } 54 55 + slog.Debug("Using hold DID for blobs", "component", "storage/blobs", "did", r.userCtx.TargetOwnerDID, "repo", r.userCtx.TargetRepo, "hold", holdDID, "action", r.userCtx.Action.String()) 56 57 + return NewProxyBlobStore(r.userCtx) 58 } 59 60 // Tags returns the tag service 61 // Tags are stored in ATProto as io.atcr.tag records 62 func (r *RoutingRepository) Tags(ctx context.Context) distribution.TagService { 63 + return NewTagStore(r.userCtx.GetATProtoClient(), r.userCtx.TargetRepo) 64 + } 65 + 66 + // Named returns a reference to the repository name. 67 + // If the base repository is set, it delegates to the base. 68 + // Otherwise, it constructs a name from the user context. 69 + func (r *RoutingRepository) Named() reference.Named { 70 + if r.Repository != nil { 71 + return r.Repository.Named() 72 + } 73 + // Construct from user context 74 + name, err := reference.WithName(r.userCtx.TargetRepo) 75 + if err != nil { 76 + // Fallback: return a simple reference 77 + name, _ = reference.WithName("unknown") 78 + } 79 + return name 80 }

+189 -313

pkg/appview/storage/routing_repository_test.go

··· 2 3 import ( 4 "context" 5 - "sync" 6 "testing" 7 8 - "github.com/distribution/distribution/v3" 9 "github.com/stretchr/testify/assert" 10 "github.com/stretchr/testify/require" 11 12 "atcr.io/pkg/atproto" 13 ) 14 15 - // mockDatabase is a simple mock for testing 16 - type mockDatabase struct { 17 - holdDID string 18 - err error 19 - } 20 21 - func (m *mockDatabase) IncrementPullCount(did, repository string) error { 22 - return nil 23 - } 24 25 - func (m *mockDatabase) IncrementPushCount(did, repository string) error { 26 - return nil 27 } 28 29 - func (m *mockDatabase) GetLatestHoldDIDForRepo(did, repository string) (string, error) { 30 - if m.err != nil { 31 - return "", m.err 32 - } 33 - return m.holdDID, nil 34 } 35 36 func TestNewRoutingRepository(t *testing.T) { 37 - ctx := &RegistryContext{ 38 - DID: "did:plc:test123", 39 - Repository: "debian", 40 - HoldDID: "did:web:hold01.atcr.io", 41 - ATProtoClient: &atproto.Client{}, 42 - } 43 - 44 - repo := NewRoutingRepository(nil, ctx) 45 - 46 - if repo.Ctx.DID != "did:plc:test123" { 47 - t.Errorf("Expected DID %q, got %q", "did:plc:test123", repo.Ctx.DID) 48 - } 49 - 50 - if repo.Ctx.Repository != "debian" { 51 - t.Errorf("Expected repository %q, got %q", "debian", repo.Ctx.Repository) 52 } 53 54 - if repo.manifestStore != nil { 55 - t.Error("Expected manifestStore to be nil initially") 56 } 57 58 - if repo.blobStore != nil { 59 - t.Error("Expected blobStore to be nil initially") 60 } 61 } 62 63 // TestRoutingRepository_Manifests tests the Manifests() method 64 func TestRoutingRepository_Manifests(t *testing.T) { 65 - ctx := &RegistryContext{ 66 - DID: "did:plc:test123", 67 - Repository: "myapp", 68 - HoldDID: "did:web:hold01.atcr.io", 69 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 70 - } 71 - 72 - repo := NewRoutingRepository(nil, ctx) 73 manifestService, err := repo.Manifests(context.Background()) 74 75 require.NoError(t, err) 76 assert.NotNil(t, manifestService) 77 - 78 - // Verify the manifest store is cached 79 - assert.NotNil(t, repo.manifestStore, "manifest store should be cached") 80 - 81 - // Call again and verify we get the same instance 82 - manifestService2, err := repo.Manifests(context.Background()) 83 - require.NoError(t, err) 84 - assert.Same(t, manifestService, manifestService2, "should return cached manifest store") 85 - } 86 - 87 - // TestRoutingRepository_ManifestStoreCaching tests that manifest store is cached 88 - func TestRoutingRepository_ManifestStoreCaching(t *testing.T) { 89 - ctx := &RegistryContext{ 90 - DID: "did:plc:test123", 91 - Repository: "myapp", 92 - HoldDID: "did:web:hold01.atcr.io", 93 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 94 - } 95 - 96 - repo := NewRoutingRepository(nil, ctx) 97 - 98 - // First call creates the store 99 - store1, err := repo.Manifests(context.Background()) 100 - require.NoError(t, err) 101 - assert.NotNil(t, store1) 102 - 103 - // Second call returns cached store 104 - store2, err := repo.Manifests(context.Background()) 105 - require.NoError(t, err) 106 - assert.Same(t, store1, store2, "should return cached manifest store instance") 107 - 108 - // Verify internal cache 109 - assert.NotNil(t, repo.manifestStore) 110 } 111 112 - // TestRoutingRepository_Blobs_PullUsesDatabase tests that GET and HEAD (pull) use database hold DID 113 - func TestRoutingRepository_Blobs_PullUsesDatabase(t *testing.T) { 114 - dbHoldDID := "did:web:database.hold.io" 115 - discoveryHoldDID := "did:web:discovery.hold.io" 116 - 117 - // Test both GET and HEAD as pull operations 118 - for _, method := range []string{"GET", "HEAD"} { 119 - // Reset context for each test 120 - ctx := &RegistryContext{ 121 - DID: "did:plc:test123", 122 - Repository: "myapp-" + method, // Unique repo to avoid caching 123 - HoldDID: discoveryHoldDID, 124 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 125 - Database: &mockDatabase{holdDID: dbHoldDID}, 126 - } 127 - repo := NewRoutingRepository(nil, ctx) 128 - 129 - pullCtx := context.WithValue(context.Background(), "http.request.method", method) 130 - blobStore := repo.Blobs(pullCtx) 131 - 132 - assert.NotNil(t, blobStore) 133 - // Verify the hold DID was updated to use the database value for pull 134 - assert.Equal(t, dbHoldDID, repo.Ctx.HoldDID, "pull (%s) should use database hold DID", method) 135 - } 136 - } 137 - 138 - // TestRoutingRepository_Blobs_PushUsesDiscovery tests that push operations use discovery hold DID 139 - func TestRoutingRepository_Blobs_PushUsesDiscovery(t *testing.T) { 140 - dbHoldDID := "did:web:database.hold.io" 141 - discoveryHoldDID := "did:web:discovery.hold.io" 142 - 143 - testCases := []struct { 144 - name string 145 - method string 146 - }{ 147 - {"PUT", "PUT"}, 148 - {"POST", "POST"}, 149 - // HEAD is now treated as pull (like GET) - see TestRoutingRepository_Blobs_Pull 150 - {"PATCH", "PATCH"}, 151 - {"DELETE", "DELETE"}, 152 - } 153 - 154 - for _, tc := range testCases { 155 - t.Run(tc.name, func(t *testing.T) { 156 - ctx := &RegistryContext{ 157 - DID: "did:plc:test123", 158 - Repository: "myapp-" + tc.method, // Unique repo to avoid caching 159 - HoldDID: discoveryHoldDID, 160 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 161 - Database: &mockDatabase{holdDID: dbHoldDID}, 162 - } 163 - 164 - repo := NewRoutingRepository(nil, ctx) 165 - 166 - // Create context with push method 167 - pushCtx := context.WithValue(context.Background(), "http.request.method", tc.method) 168 - blobStore := repo.Blobs(pushCtx) 169 - 170 - assert.NotNil(t, blobStore) 171 - // Verify the hold DID remains the discovery-based one for push operations 172 - assert.Equal(t, discoveryHoldDID, repo.Ctx.HoldDID, "%s should use discovery hold DID, not database", tc.method) 173 - }) 174 - } 175 - } 176 - 177 - // TestRoutingRepository_Blobs_NoMethodUsesDiscovery tests that missing method defaults to discovery 178 - func TestRoutingRepository_Blobs_NoMethodUsesDiscovery(t *testing.T) { 179 - dbHoldDID := "did:web:database.hold.io" 180 - discoveryHoldDID := "did:web:discovery.hold.io" 181 - 182 - ctx := &RegistryContext{ 183 - DID: "did:plc:test123", 184 - Repository: "myapp-nomethod", 185 - HoldDID: discoveryHoldDID, 186 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 187 - Database: &mockDatabase{holdDID: dbHoldDID}, 188 - } 189 - 190 - repo := NewRoutingRepository(nil, ctx) 191 - 192 - // Context without HTTP method (shouldn't happen in practice, but test defensive behavior) 193 blobStore := repo.Blobs(context.Background()) 194 195 assert.NotNil(t, blobStore) 196 - // Without method, should default to discovery (safer for push scenarios) 197 - assert.Equal(t, discoveryHoldDID, repo.Ctx.HoldDID, "missing method should use discovery hold DID") 198 - } 199 - 200 - // TestRoutingRepository_Blobs_WithoutDatabase tests blob store with discovery-based hold 201 - func TestRoutingRepository_Blobs_WithoutDatabase(t *testing.T) { 202 - discoveryHoldDID := "did:web:discovery.hold.io" 203 - 204 - ctx := &RegistryContext{ 205 - DID: "did:plc:nocache456", 206 - Repository: "uncached-app", 207 - HoldDID: discoveryHoldDID, 208 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:nocache456", ""), 209 - Database: nil, // No database 210 - } 211 - 212 - repo := NewRoutingRepository(nil, ctx) 213 - blobStore := repo.Blobs(context.Background()) 214 - 215 - assert.NotNil(t, blobStore) 216 - // Verify the hold DID remains the discovery-based one 217 - assert.Equal(t, discoveryHoldDID, repo.Ctx.HoldDID, "should use discovery-based hold DID") 218 - } 219 - 220 - // TestRoutingRepository_Blobs_DatabaseEmptyFallback tests fallback when database returns empty hold DID 221 - func TestRoutingRepository_Blobs_DatabaseEmptyFallback(t *testing.T) { 222 - discoveryHoldDID := "did:web:discovery.hold.io" 223 - 224 - ctx := &RegistryContext{ 225 - DID: "did:plc:test123", 226 - Repository: "newapp", 227 - HoldDID: discoveryHoldDID, 228 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 229 - Database: &mockDatabase{holdDID: ""}, // Empty string (no manifests yet) 230 - } 231 - 232 - repo := NewRoutingRepository(nil, ctx) 233 - blobStore := repo.Blobs(context.Background()) 234 - 235 - assert.NotNil(t, blobStore) 236 - // Verify the hold DID falls back to discovery-based 237 - assert.Equal(t, discoveryHoldDID, repo.Ctx.HoldDID, "should fall back to discovery-based hold DID when database returns empty") 238 - } 239 - 240 - // TestRoutingRepository_BlobStoreCaching tests that blob store is cached 241 - func TestRoutingRepository_BlobStoreCaching(t *testing.T) { 242 - ctx := &RegistryContext{ 243 - DID: "did:plc:test123", 244 - Repository: "myapp", 245 - HoldDID: "did:web:hold01.atcr.io", 246 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 247 - } 248 - 249 - repo := NewRoutingRepository(nil, ctx) 250 - 251 - // First call creates the store 252 - store1 := repo.Blobs(context.Background()) 253 - assert.NotNil(t, store1) 254 - 255 - // Second call returns cached store 256 - store2 := repo.Blobs(context.Background()) 257 - assert.Same(t, store1, store2, "should return cached blob store instance") 258 - 259 - // Verify internal cache 260 - assert.NotNil(t, repo.blobStore) 261 } 262 263 // TestRoutingRepository_Blobs_PanicOnEmptyHoldDID tests panic when hold DID is empty 264 func TestRoutingRepository_Blobs_PanicOnEmptyHoldDID(t *testing.T) { 265 - // Use a unique DID/repo to ensure no cache entry exists 266 - ctx := &RegistryContext{ 267 - DID: "did:plc:emptyholdtest999", 268 - Repository: "empty-hold-app", 269 - HoldDID: "", // Empty hold DID should panic 270 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:emptyholdtest999", ""), 271 - } 272 273 - repo := NewRoutingRepository(nil, ctx) 274 275 // Should panic with empty hold DID 276 assert.Panics(t, func() { ··· 280 281 // TestRoutingRepository_Tags tests the Tags() method 282 func TestRoutingRepository_Tags(t *testing.T) { 283 - ctx := &RegistryContext{ 284 - DID: "did:plc:test123", 285 - Repository: "myapp", 286 - HoldDID: "did:web:hold01.atcr.io", 287 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 288 - } 289 - 290 - repo := NewRoutingRepository(nil, ctx) 291 tagService := repo.Tags(context.Background()) 292 293 assert.NotNil(t, tagService) 294 295 - // Call again and verify we get a new instance (Tags() doesn't cache) 296 tagService2 := repo.Tags(context.Background()) 297 assert.NotNil(t, tagService2) 298 - // Tags service is not cached, so each call creates a new instance 299 } 300 301 - // TestRoutingRepository_ConcurrentAccess tests concurrent access to cached stores 302 - func TestRoutingRepository_ConcurrentAccess(t *testing.T) { 303 - ctx := &RegistryContext{ 304 - DID: "did:plc:test123", 305 - Repository: "myapp", 306 - HoldDID: "did:web:hold01.atcr.io", 307 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 308 - } 309 - 310 - repo := NewRoutingRepository(nil, ctx) 311 - 312 - var wg sync.WaitGroup 313 - numGoroutines := 10 314 - 315 - // Track all manifest stores returned 316 - manifestStores := make([]distribution.ManifestService, numGoroutines) 317 - blobStores := make([]distribution.BlobStore, numGoroutines) 318 - 319 - // Concurrent access to Manifests() 320 - for i := 0; i < numGoroutines; i++ { 321 - wg.Add(1) 322 - go func(index int) { 323 - defer wg.Done() 324 - store, err := repo.Manifests(context.Background()) 325 - require.NoError(t, err) 326 - manifestStores[index] = store 327 - }(i) 328 } 329 330 - wg.Wait() 331 - 332 - // Verify all stores are non-nil (due to race conditions, they may not all be the same instance) 333 - for i := 0; i < numGoroutines; i++ { 334 - assert.NotNil(t, manifestStores[i], "manifest store should not be nil") 335 } 336 337 - // After concurrent creation, subsequent calls should return the cached instance 338 - cachedStore, err := repo.Manifests(context.Background()) 339 - require.NoError(t, err) 340 - assert.NotNil(t, cachedStore) 341 - 342 - // Concurrent access to Blobs() 343 - for i := 0; i < numGoroutines; i++ { 344 - wg.Add(1) 345 - go func(index int) { 346 - defer wg.Done() 347 - blobStores[index] = repo.Blobs(context.Background()) 348 - }(i) 349 } 350 351 - wg.Wait() 352 - 353 - // Verify all stores are non-nil (due to race conditions, they may not all be the same instance) 354 - for i := 0; i < numGoroutines; i++ { 355 - assert.NotNil(t, blobStores[i], "blob store should not be nil") 356 } 357 358 - // After concurrent creation, subsequent calls should return the cached instance 359 - cachedBlobStore := repo.Blobs(context.Background()) 360 - assert.NotNil(t, cachedBlobStore) 361 } 362 363 - // TestRoutingRepository_Blobs_PullPriority tests that database hold DID takes priority for pull (GET) 364 - func TestRoutingRepository_Blobs_PullPriority(t *testing.T) { 365 - dbHoldDID := "did:web:database.hold.io" 366 - discoveryHoldDID := "did:web:discovery.hold.io" 367 - 368 - ctx := &RegistryContext{ 369 - DID: "did:plc:test123", 370 - Repository: "myapp-priority", 371 - HoldDID: discoveryHoldDID, // Discovery-based hold 372 - ATProtoClient: atproto.NewClient("https://pds.example.com", "did:plc:test123", ""), 373 - Database: &mockDatabase{holdDID: dbHoldDID}, // Database has a different hold DID 374 } 375 376 - repo := NewRoutingRepository(nil, ctx) 377 - 378 - // For pull (GET), database should take priority 379 - pullCtx := context.WithValue(context.Background(), "http.request.method", "GET") 380 - blobStore := repo.Blobs(pullCtx) 381 - 382 - assert.NotNil(t, blobStore) 383 - // Database hold DID should take priority over discovery for pull operations 384 - assert.Equal(t, dbHoldDID, repo.Ctx.HoldDID, "database hold DID should take priority over discovery for pull (GET)") 385 }

··· 2 3 import ( 4 "context" 5 "testing" 6 7 "github.com/stretchr/testify/assert" 8 "github.com/stretchr/testify/require" 9 10 "atcr.io/pkg/atproto" 11 + "atcr.io/pkg/auth" 12 ) 13 14 + // mockUserContext creates a mock auth.UserContext for testing. 15 + // It sets up both the user identity and target info, and configures 16 + // test helpers to bypass network calls. 17 + func mockUserContext(did, authMethod, httpMethod, targetOwnerDID, targetOwnerHandle, targetOwnerPDS, targetRepo, targetHoldDID string) *auth.UserContext { 18 + userCtx := auth.NewUserContext(did, authMethod, httpMethod, nil) 19 + userCtx.SetTarget(targetOwnerDID, targetOwnerHandle, targetOwnerPDS, targetRepo, targetHoldDID) 20 21 + // Bypass PDS resolution (avoids network calls) 22 + userCtx.SetPDSForTest(targetOwnerHandle, targetOwnerPDS) 23 + 24 + // Set up mock authorizer that allows access 25 + userCtx.SetAuthorizerForTest(auth.NewMockHoldAuthorizer()) 26 27 + // Set default hold DID for push resolution 28 + userCtx.SetDefaultHoldDIDForTest(targetHoldDID) 29 + 30 + return userCtx 31 } 32 33 + // mockUserContextWithToken creates a mock UserContext with a pre-populated service token. 34 + func mockUserContextWithToken(did, authMethod, httpMethod, targetOwnerDID, targetOwnerHandle, targetOwnerPDS, targetRepo, targetHoldDID, serviceToken string) *auth.UserContext { 35 + userCtx := mockUserContext(did, authMethod, httpMethod, targetOwnerDID, targetOwnerHandle, targetOwnerPDS, targetRepo, targetHoldDID) 36 + userCtx.SetServiceTokenForTest(targetHoldDID, serviceToken) 37 + return userCtx 38 } 39 40 func TestNewRoutingRepository(t *testing.T) { 41 + userCtx := mockUserContext( 42 + "did:plc:test123", // authenticated user 43 + "oauth", // auth method 44 + "GET", // HTTP method 45 + "did:plc:test123", // target owner 46 + "test.handle", // target owner handle 47 + "https://pds.example.com", // target owner PDS 48 + "debian", // repository 49 + "did:web:hold01.atcr.io", // hold DID 50 + ) 51 + 52 + repo := NewRoutingRepository(nil, userCtx, nil) 53 + 54 + if repo.userCtx.TargetOwnerDID != "did:plc:test123" { 55 + t.Errorf("Expected TargetOwnerDID %q, got %q", "did:plc:test123", repo.userCtx.TargetOwnerDID) 56 } 57 58 + if repo.userCtx.TargetRepo != "debian" { 59 + t.Errorf("Expected TargetRepo %q, got %q", "debian", repo.userCtx.TargetRepo) 60 } 61 62 + if repo.userCtx.TargetHoldDID != "did:web:hold01.atcr.io" { 63 + t.Errorf("Expected TargetHoldDID %q, got %q", "did:web:hold01.atcr.io", repo.userCtx.TargetHoldDID) 64 } 65 } 66 67 // TestRoutingRepository_Manifests tests the Manifests() method 68 func TestRoutingRepository_Manifests(t *testing.T) { 69 + userCtx := mockUserContext( 70 + "did:plc:test123", 71 + "oauth", 72 + "GET", 73 + "did:plc:test123", 74 + "test.handle", 75 + "https://pds.example.com", 76 + "myapp", 77 + "did:web:hold01.atcr.io", 78 + ) 79 + 80 + repo := NewRoutingRepository(nil, userCtx, nil) 81 manifestService, err := repo.Manifests(context.Background()) 82 83 require.NoError(t, err) 84 assert.NotNil(t, manifestService) 85 } 86 87 + // TestRoutingRepository_Blobs tests the Blobs() method 88 + func TestRoutingRepository_Blobs(t *testing.T) { 89 + userCtx := mockUserContext( 90 + "did:plc:test123", 91 + "oauth", 92 + "GET", 93 + "did:plc:test123", 94 + "test.handle", 95 + "https://pds.example.com", 96 + "myapp", 97 + "did:web:hold01.atcr.io", 98 + ) 99 + 100 + repo := NewRoutingRepository(nil, userCtx, nil) 101 blobStore := repo.Blobs(context.Background()) 102 103 assert.NotNil(t, blobStore) 104 } 105 106 // TestRoutingRepository_Blobs_PanicOnEmptyHoldDID tests panic when hold DID is empty 107 func TestRoutingRepository_Blobs_PanicOnEmptyHoldDID(t *testing.T) { 108 + // Create context without default hold and empty target hold 109 + userCtx := auth.NewUserContext("did:plc:emptyholdtest999", "oauth", "GET", nil) 110 + userCtx.SetTarget("did:plc:emptyholdtest999", "test.handle", "https://pds.example.com", "empty-hold-app", "") 111 + userCtx.SetPDSForTest("test.handle", "https://pds.example.com") 112 + userCtx.SetAuthorizerForTest(auth.NewMockHoldAuthorizer()) 113 + // Intentionally NOT setting default hold DID 114 115 + repo := NewRoutingRepository(nil, userCtx, nil) 116 117 // Should panic with empty hold DID 118 assert.Panics(t, func() { ··· 122 123 // TestRoutingRepository_Tags tests the Tags() method 124 func TestRoutingRepository_Tags(t *testing.T) { 125 + userCtx := mockUserContext( 126 + "did:plc:test123", 127 + "oauth", 128 + "GET", 129 + "did:plc:test123", 130 + "test.handle", 131 + "https://pds.example.com", 132 + "myapp", 133 + "did:web:hold01.atcr.io", 134 + ) 135 + 136 + repo := NewRoutingRepository(nil, userCtx, nil) 137 tagService := repo.Tags(context.Background()) 138 139 assert.NotNil(t, tagService) 140 141 + // Call again and verify we get a fresh instance (no caching) 142 tagService2 := repo.Tags(context.Background()) 143 assert.NotNil(t, tagService2) 144 } 145 146 + // TestRoutingRepository_UserContext tests that UserContext fields are properly set 147 + func TestRoutingRepository_UserContext(t *testing.T) { 148 + testCases := []struct { 149 + name string 150 + httpMethod string 151 + expectedAction auth.RequestAction 152 + }{ 153 + {"GET request is pull", "GET", auth.ActionPull}, 154 + {"HEAD request is pull", "HEAD", auth.ActionPull}, 155 + {"PUT request is push", "PUT", auth.ActionPush}, 156 + {"POST request is push", "POST", auth.ActionPush}, 157 + {"DELETE request is push", "DELETE", auth.ActionPush}, 158 } 159 160 + for _, tc := range testCases { 161 + t.Run(tc.name, func(t *testing.T) { 162 + userCtx := mockUserContext( 163 + "did:plc:test123", 164 + "oauth", 165 + tc.httpMethod, 166 + "did:plc:test123", 167 + "test.handle", 168 + "https://pds.example.com", 169 + "myapp", 170 + "did:web:hold01.atcr.io", 171 + ) 172 + 173 + repo := NewRoutingRepository(nil, userCtx, nil) 174 + 175 + assert.Equal(t, tc.expectedAction, repo.userCtx.Action, "action should match HTTP method") 176 + }) 177 } 178 + } 179 180 + // TestRoutingRepository_DifferentHoldDIDs tests routing with different hold DIDs 181 + func TestRoutingRepository_DifferentHoldDIDs(t *testing.T) { 182 + testCases := []struct { 183 + name string 184 + holdDID string 185 + }{ 186 + {"did:web hold", "did:web:hold01.atcr.io"}, 187 + {"did:web with port", "did:web:localhost:8080"}, 188 + {"did:plc hold", "did:plc:xyz123"}, 189 } 190 191 + for _, tc := range testCases { 192 + t.Run(tc.name, func(t *testing.T) { 193 + userCtx := mockUserContext( 194 + "did:plc:test123", 195 + "oauth", 196 + "PUT", 197 + "did:plc:test123", 198 + "test.handle", 199 + "https://pds.example.com", 200 + "myapp", 201 + tc.holdDID, 202 + ) 203 + 204 + repo := NewRoutingRepository(nil, userCtx, nil) 205 + blobStore := repo.Blobs(context.Background()) 206 + 207 + assert.NotNil(t, blobStore, "should create blob store for %s", tc.holdDID) 208 + }) 209 } 210 + } 211 212 + // TestRoutingRepository_Named tests the Named() method 213 + func TestRoutingRepository_Named(t *testing.T) { 214 + userCtx := mockUserContext( 215 + "did:plc:test123", 216 + "oauth", 217 + "GET", 218 + "did:plc:test123", 219 + "test.handle", 220 + "https://pds.example.com", 221 + "myapp", 222 + "did:web:hold01.atcr.io", 223 + ) 224 + 225 + repo := NewRoutingRepository(nil, userCtx, nil) 226 + 227 + // Named() returns a reference.Named from the base repository 228 + // Since baseRepo is nil, this tests our implementation handles that case 229 + named := repo.Named() 230 + 231 + // With nil base, Named() should return a name constructed from context 232 + assert.NotNil(t, named) 233 + assert.Contains(t, named.Name(), "myapp") 234 } 235 236 + // TestATProtoResolveHoldURL tests DID to URL resolution 237 + func TestATProtoResolveHoldURL(t *testing.T) { 238 + tests := []struct { 239 + name string 240 + holdDID string 241 + expected string 242 + }{ 243 + { 244 + name: "did:web simple domain", 245 + holdDID: "did:web:hold01.atcr.io", 246 + expected: "https://hold01.atcr.io", 247 + }, 248 + { 249 + name: "did:web with port (localhost)", 250 + holdDID: "did:web:localhost:8080", 251 + expected: "http://localhost:8080", 252 + }, 253 } 254 255 + for _, tt := range tests { 256 + t.Run(tt.name, func(t *testing.T) { 257 + result := atproto.ResolveHoldURL(tt.holdDID) 258 + assert.Equal(t, tt.expected, result) 259 + }) 260 + } 261 }

+3 -36

pkg/auth/cache.go

··· 5 package auth 6 7 import ( 8 - "encoding/base64" 9 - "encoding/json" 10 - "fmt" 11 "log/slog" 12 - "strings" 13 "sync" 14 "time" 15 ) ··· 18 type serviceTokenEntry struct { 19 token string 20 expiresAt time.Time 21 } 22 23 // Global cache for service tokens (DID:HoldDID -> token) ··· 61 cacheKey := did + ":" + holdDID 62 63 // Parse JWT to extract expiry (don't verify signature - we trust the PDS) 64 - expiry, err := parseJWTExpiry(token) 65 if err != nil { 66 // If parsing fails, use default 50s TTL (conservative fallback) 67 slog.Warn("Failed to parse JWT expiry, using default 50s", "error", err, "cacheKey", cacheKey) ··· 85 return nil 86 } 87 88 - // parseJWTExpiry extracts the expiry time from a JWT without verifying the signature 89 - // We trust tokens from the user's PDS, so signature verification isn't needed here 90 - // Manually decodes the JWT payload to avoid algorithm compatibility issues 91 - func parseJWTExpiry(tokenString string) (time.Time, error) { 92 - // JWT format: header.payload.signature 93 - parts := strings.Split(tokenString, ".") 94 - if len(parts) != 3 { 95 - return time.Time{}, fmt.Errorf("invalid JWT format: expected 3 parts, got %d", len(parts)) 96 - } 97 - 98 - // Decode the payload (second part) 99 - payload, err := base64.RawURLEncoding.DecodeString(parts[1]) 100 - if err != nil { 101 - return time.Time{}, fmt.Errorf("failed to decode JWT payload: %w", err) 102 - } 103 - 104 - // Parse the JSON payload 105 - var claims struct { 106 - Exp int64 `json:"exp"` 107 - } 108 - if err := json.Unmarshal(payload, &claims); err != nil { 109 - return time.Time{}, fmt.Errorf("failed to parse JWT claims: %w", err) 110 - } 111 - 112 - if claims.Exp == 0 { 113 - return time.Time{}, fmt.Errorf("JWT missing exp claim") 114 - } 115 - 116 - return time.Unix(claims.Exp, 0), nil 117 - } 118 - 119 // InvalidateServiceToken removes a service token from the cache 120 // Used when we detect that a token is invalid or the user's session has expired 121 func InvalidateServiceToken(did, holdDID string) {

··· 5 package auth 6 7 import ( 8 "log/slog" 9 "sync" 10 "time" 11 ) ··· 14 type serviceTokenEntry struct { 15 token string 16 expiresAt time.Time 17 + err error 18 + once sync.Once 19 } 20 21 // Global cache for service tokens (DID:HoldDID -> token) ··· 59 cacheKey := did + ":" + holdDID 60 61 // Parse JWT to extract expiry (don't verify signature - we trust the PDS) 62 + expiry, err := ParseJWTExpiry(token) 63 if err != nil { 64 // If parsing fails, use default 50s TTL (conservative fallback) 65 slog.Warn("Failed to parse JWT expiry, using default 50s", "error", err, "cacheKey", cacheKey) ··· 83 return nil 84 } 85 86 // InvalidateServiceToken removes a service token from the cache 87 // Used when we detect that a token is invalid or the user's session has expired 88 func InvalidateServiceToken(did, holdDID string) {

+80

pkg/auth/mock_authorizer.go

···

··· 1 + package auth 2 + 3 + import ( 4 + "context" 5 + 6 + "atcr.io/pkg/atproto" 7 + ) 8 + 9 + // MockHoldAuthorizer is a test double for HoldAuthorizer. 10 + // It allows tests to control the return values of authorization checks 11 + // without making network calls or querying a real PDS. 12 + type MockHoldAuthorizer struct { 13 + // Direct result control 14 + CanReadResult bool 15 + CanWriteResult bool 16 + CanAdminResult bool 17 + Error error 18 + 19 + // Captain record to return (optional, for GetCaptainRecord) 20 + CaptainRecord *atproto.CaptainRecord 21 + 22 + // Crew membership (optional, for IsCrewMember) 23 + IsCrewResult bool 24 + } 25 + 26 + // NewMockHoldAuthorizer creates a MockHoldAuthorizer with sensible defaults. 27 + // By default, it allows all access (public hold, user is owner). 28 + func NewMockHoldAuthorizer() *MockHoldAuthorizer { 29 + return &MockHoldAuthorizer{ 30 + CanReadResult: true, 31 + CanWriteResult: true, 32 + CanAdminResult: false, 33 + IsCrewResult: false, 34 + CaptainRecord: &atproto.CaptainRecord{ 35 + Type: "io.atcr.hold.captain", 36 + Owner: "did:plc:mock-owner", 37 + Public: true, 38 + }, 39 + } 40 + } 41 + 42 + // CheckReadAccess returns the configured CanReadResult. 43 + func (m *MockHoldAuthorizer) CheckReadAccess(ctx context.Context, holdDID, userDID string) (bool, error) { 44 + if m.Error != nil { 45 + return false, m.Error 46 + } 47 + return m.CanReadResult, nil 48 + } 49 + 50 + // CheckWriteAccess returns the configured CanWriteResult. 51 + func (m *MockHoldAuthorizer) CheckWriteAccess(ctx context.Context, holdDID, userDID string) (bool, error) { 52 + if m.Error != nil { 53 + return false, m.Error 54 + } 55 + return m.CanWriteResult, nil 56 + } 57 + 58 + // GetCaptainRecord returns the configured CaptainRecord or a default. 59 + func (m *MockHoldAuthorizer) GetCaptainRecord(ctx context.Context, holdDID string) (*atproto.CaptainRecord, error) { 60 + if m.Error != nil { 61 + return nil, m.Error 62 + } 63 + if m.CaptainRecord != nil { 64 + return m.CaptainRecord, nil 65 + } 66 + // Return a default captain record 67 + return &atproto.CaptainRecord{ 68 + Type: "io.atcr.hold.captain", 69 + Owner: "did:plc:mock-owner", 70 + Public: true, 71 + }, nil 72 + } 73 + 74 + // IsCrewMember returns the configured IsCrewResult. 75 + func (m *MockHoldAuthorizer) IsCrewMember(ctx context.Context, holdDID, userDID string) (bool, error) { 76 + if m.Error != nil { 77 + return false, m.Error 78 + } 79 + return m.IsCrewResult, nil 80 + }

+167 -228

pkg/auth/servicetoken.go

··· 2 3 import ( 4 "context" 5 "encoding/json" 6 "errors" 7 "fmt" ··· 9 "log/slog" 10 "net/http" 11 "net/url" 12 "time" 13 14 "atcr.io/pkg/atproto" ··· 44 } 45 } 46 47 // GetOrFetchServiceToken gets a service token for hold authentication. 48 - // Checks cache first, then fetches from PDS with OAuth/DPoP if needed. 49 - // This is the canonical implementation used by both middleware and crew registration. 50 // 51 - // IMPORTANT: Uses DoWithSession() to hold a per-DID lock through the entire PDS interaction. 52 // This prevents DPoP nonce race conditions when multiple Docker layers upload concurrently. 53 func GetOrFetchServiceToken( 54 ctx context.Context, 55 - refresher *oauth.Refresher, 56 did, holdDID, pdsEndpoint string, 57 ) (string, error) { 58 - if refresher == nil { 59 - return "", fmt.Errorf("refresher is nil (OAuth session required for service tokens)") 60 - } 61 - 62 // Check cache first to avoid unnecessary PDS calls on every request 63 cachedToken, expiresAt := GetServiceToken(did, holdDID) 64 ··· 66 if cachedToken != "" && time.Until(expiresAt) > 10*time.Second { 67 slog.Debug("Using cached service token", 68 "did", did, 69 "expiresIn", time.Until(expiresAt).Round(time.Second)) 70 return cachedToken, nil 71 } 72 73 - // Cache miss or expiring soon - validate OAuth and get new service token 74 if cachedToken == "" { 75 - slog.Debug("Service token cache miss, fetching new token", "did", did) 76 } else { 77 - slog.Debug("Service token expiring soon, proactively renewing", "did", did) 78 } 79 80 - // Use DoWithSession to hold the lock through the entire PDS interaction. 81 - // This prevents DPoP nonce races when multiple goroutines try to fetch service tokens. 82 var serviceToken string 83 var fetchErr error 84 85 err := refresher.DoWithSession(ctx, did, func(session *indigo_oauth.ClientSession) error { 86 - // Double-check cache after acquiring lock - another goroutine may have 87 - // populated it while we were waiting (classic double-checked locking pattern) 88 cachedToken, expiresAt := GetServiceToken(did, holdDID) 89 if cachedToken != "" && time.Until(expiresAt) > 10*time.Second { 90 slog.Debug("Service token cache hit after lock acquisition", ··· 94 return nil 95 } 96 97 - // Cache still empty/expired - proceed with PDS call 98 - // Request 5-minute expiry (PDS may grant less) 99 - // exp must be absolute Unix timestamp, not relative duration 100 - // Note: OAuth scope includes #atcr_hold fragment, but service auth aud must be bare DID 101 - expiryTime := time.Now().Unix() + 300 // 5 minutes from now 102 - serviceAuthURL := fmt.Sprintf("%s%s?aud=%s&lxm=%s&exp=%d", 103 - pdsEndpoint, 104 - atproto.ServerGetServiceAuth, 105 - url.QueryEscape(holdDID), 106 - url.QueryEscape("com.atproto.repo.getRecord"), 107 - expiryTime, 108 - ) 109 110 req, err := http.NewRequestWithContext(ctx, "GET", serviceAuthURL, nil) 111 if err != nil { 112 - fetchErr = fmt.Errorf("failed to create service auth request: %w", err) 113 return fetchErr 114 } 115 116 - // Use OAuth session to authenticate to PDS (with DPoP) 117 - // The lock is held, so DPoP nonce negotiation is serialized per-DID 118 resp, err := session.DoWithAuth(session.Client, req, "com.atproto.server.getServiceAuth") 119 if err != nil { 120 - // Auth error - may indicate expired tokens or corrupted session 121 - InvalidateServiceToken(did, holdDID) 122 - 123 - // Inspect the error to extract detailed information from indigo's APIError 124 - var apiErr *atclient.APIError 125 - if errors.As(err, &apiErr) { 126 - // Log detailed API error information 127 - slog.Error("OAuth authentication failed during service token request", 128 - "component", "token/servicetoken", 129 - "did", did, 130 - "holdDID", holdDID, 131 - "pdsEndpoint", pdsEndpoint, 132 - "url", serviceAuthURL, 133 - "error", err, 134 - "httpStatus", apiErr.StatusCode, 135 - "errorName", apiErr.Name, 136 - "errorMessage", apiErr.Message, 137 - "hint", getErrorHint(apiErr)) 138 - } else { 139 - // Fallback for non-API errors (network errors, etc.) 140 - slog.Error("OAuth authentication failed during service token request", 141 - "component", "token/servicetoken", 142 - "did", did, 143 - "holdDID", holdDID, 144 - "pdsEndpoint", pdsEndpoint, 145 - "url", serviceAuthURL, 146 - "error", err, 147 - "errorType", fmt.Sprintf("%T", err), 148 - "hint", "Network error or unexpected failure during OAuth request") 149 - } 150 - 151 - fetchErr = fmt.Errorf("OAuth validation failed: %w", err) 152 - return fetchErr 153 - } 154 - defer resp.Body.Close() 155 - 156 - if resp.StatusCode != http.StatusOK { 157 - // Service auth failed 158 - bodyBytes, _ := io.ReadAll(resp.Body) 159 - InvalidateServiceToken(did, holdDID) 160 - slog.Error("Service token request returned non-200 status", 161 - "component", "token/servicetoken", 162 - "did", did, 163 - "holdDID", holdDID, 164 - "pdsEndpoint", pdsEndpoint, 165 - "statusCode", resp.StatusCode, 166 - "responseBody", string(bodyBytes), 167 - "hint", "PDS rejected the service token request - check PDS logs for details") 168 - fetchErr = fmt.Errorf("service auth failed with status %d: %s", resp.StatusCode, string(bodyBytes)) 169 - return fetchErr 170 - } 171 - 172 - // Parse response to get service token 173 - var result struct { 174 - Token string `json:"token"` 175 - } 176 - if err := json.NewDecoder(resp.Body).Decode(&result); err != nil { 177 - fetchErr = fmt.Errorf("failed to decode service auth response: %w", err) 178 return fetchErr 179 } 180 181 - if result.Token == "" { 182 - fetchErr = fmt.Errorf("empty token in service auth response") 183 return fetchErr 184 } 185 186 - serviceToken = result.Token 187 return nil 188 }) 189 190 if err != nil { 191 - // DoWithSession failed (session load or callback error) 192 - InvalidateServiceToken(did, holdDID) 193 - 194 - // Try to extract detailed error information 195 - var apiErr *atclient.APIError 196 - if errors.As(err, &apiErr) { 197 - slog.Error("Failed to get OAuth session for service token", 198 - "component", "token/servicetoken", 199 - "did", did, 200 - "holdDID", holdDID, 201 - "pdsEndpoint", pdsEndpoint, 202 - "error", err, 203 - "httpStatus", apiErr.StatusCode, 204 - "errorName", apiErr.Name, 205 - "errorMessage", apiErr.Message, 206 - "hint", getErrorHint(apiErr)) 207 - } else if fetchErr == nil { 208 - // Session load failed (not a fetch error) 209 - slog.Error("Failed to get OAuth session for service token", 210 - "component", "token/servicetoken", 211 - "did", did, 212 - "holdDID", holdDID, 213 - "pdsEndpoint", pdsEndpoint, 214 - "error", err, 215 - "errorType", fmt.Sprintf("%T", err), 216 - "hint", "OAuth session not found in database or token refresh failed") 217 - } 218 - 219 - // Delete the stale OAuth session to force re-authentication 220 - // This also invalidates the UI session automatically 221 - if delErr := refresher.DeleteSession(ctx, did); delErr != nil { 222 - slog.Warn("Failed to delete stale OAuth session", 223 - "component", "token/servicetoken", 224 - "did", did, 225 - "error", delErr) 226 - } 227 - 228 if fetchErr != nil { 229 return "", fetchErr 230 } 231 return "", fmt.Errorf("failed to get OAuth session: %w", err) 232 } 233 234 - // Cache the token (parses JWT to extract actual expiry) 235 - if err := SetServiceToken(did, holdDID, serviceToken); err != nil { 236 - slog.Warn("Failed to cache service token", "error", err, "did", did, "holdDID", holdDID) 237 - // Non-fatal - we have the token, just won't be cached 238 - } 239 - 240 - slog.Debug("OAuth validation succeeded, service token obtained", "did", did) 241 return serviceToken, nil 242 } 243 244 - // GetOrFetchServiceTokenWithAppPassword gets a service token using app-password Bearer authentication. 245 - // Used when auth method is app_password instead of OAuth. 246 - func GetOrFetchServiceTokenWithAppPassword( 247 ctx context.Context, 248 did, holdDID, pdsEndpoint string, 249 ) (string, error) { 250 - // Check cache first to avoid unnecessary PDS calls on every request 251 - cachedToken, expiresAt := GetServiceToken(did, holdDID) 252 - 253 - // Use cached token if it exists and has > 10s remaining 254 - if cachedToken != "" && time.Until(expiresAt) > 10*time.Second { 255 - slog.Debug("Using cached service token (app-password)", 256 - "did", did, 257 - "expiresIn", time.Until(expiresAt).Round(time.Second)) 258 - return cachedToken, nil 259 - } 260 - 261 - // Cache miss or expiring soon - get app-password token and fetch new service token 262 - if cachedToken == "" { 263 - slog.Debug("Service token cache miss, fetching new token with app-password", "did", did) 264 - } else { 265 - slog.Debug("Service token expiring soon, proactively renewing with app-password", "did", did) 266 - } 267 - 268 - // Get app-password access token from cache 269 accessToken, ok := GetGlobalTokenCache().Get(did) 270 if !ok { 271 - InvalidateServiceToken(did, holdDID) 272 - slog.Error("No app-password access token found in cache", 273 - "component", "token/servicetoken", 274 - "did", did, 275 - "holdDID", holdDID, 276 - "hint", "User must re-authenticate with docker login") 277 return "", fmt.Errorf("no app-password access token available for DID %s", did) 278 } 279 280 - // Call com.atproto.server.getServiceAuth on the user's PDS with Bearer token 281 - // Request 5-minute expiry (PDS may grant less) 282 - // exp must be absolute Unix timestamp, not relative duration 283 - expiryTime := time.Now().Unix() + 300 // 5 minutes from now 284 - serviceAuthURL := fmt.Sprintf("%s%s?aud=%s&lxm=%s&exp=%d", 285 - pdsEndpoint, 286 - atproto.ServerGetServiceAuth, 287 - url.QueryEscape(holdDID), 288 - url.QueryEscape("com.atproto.repo.getRecord"), 289 - expiryTime, 290 - ) 291 292 req, err := http.NewRequestWithContext(ctx, "GET", serviceAuthURL, nil) 293 if err != nil { 294 - return "", fmt.Errorf("failed to create service auth request: %w", err) 295 } 296 297 - // Set Bearer token authentication (app-password) 298 req.Header.Set("Authorization", "Bearer "+accessToken) 299 300 - // Make request with standard HTTP client 301 resp, err := http.DefaultClient.Do(req) 302 if err != nil { 303 - InvalidateServiceToken(did, holdDID) 304 - slog.Error("App-password service token request failed", 305 - "component", "token/servicetoken", 306 - "did", did, 307 - "holdDID", holdDID, 308 - "pdsEndpoint", pdsEndpoint, 309 - "error", err) 310 - return "", fmt.Errorf("failed to request service token: %w", err) 311 } 312 - defer resp.Body.Close() 313 314 if resp.StatusCode == http.StatusUnauthorized { 315 - // App-password token is invalid or expired - clear from cache 316 GetGlobalTokenCache().Delete(did) 317 - InvalidateServiceToken(did, holdDID) 318 - slog.Error("App-password token rejected by PDS", 319 - "component", "token/servicetoken", 320 - "did", did, 321 - "hint", "User must re-authenticate with docker login") 322 return "", fmt.Errorf("app-password authentication failed: token expired or invalid") 323 } 324 325 - if resp.StatusCode != http.StatusOK { 326 - // Service auth failed 327 - bodyBytes, _ := io.ReadAll(resp.Body) 328 - InvalidateServiceToken(did, holdDID) 329 - slog.Error("Service token request returned non-200 status (app-password)", 330 - "component", "token/servicetoken", 331 - "did", did, 332 - "holdDID", holdDID, 333 - "pdsEndpoint", pdsEndpoint, 334 - "statusCode", resp.StatusCode, 335 - "responseBody", string(bodyBytes)) 336 - return "", fmt.Errorf("service auth failed with status %d: %s", resp.StatusCode, string(bodyBytes)) 337 - } 338 - 339 - // Parse response to get service token 340 - var result struct { 341 - Token string `json:"token"` 342 - } 343 - if err := json.NewDecoder(resp.Body).Decode(&result); err != nil { 344 - return "", fmt.Errorf("failed to decode service auth response: %w", err) 345 - } 346 - 347 - if result.Token == "" { 348 - return "", fmt.Errorf("empty token in service auth response") 349 - } 350 - 351 - serviceToken := result.Token 352 - 353 - // Cache the token (parses JWT to extract actual expiry) 354 - if err := SetServiceToken(did, holdDID, serviceToken); err != nil { 355 - slog.Warn("Failed to cache service token", "error", err, "did", did, "holdDID", holdDID) 356 - // Non-fatal - we have the token, just won't be cached 357 - } 358 - 359 - slog.Debug("App-password validation succeeded, service token obtained", "did", did) 360 - return serviceToken, nil 361 }

··· 2 3 import ( 4 "context" 5 + "encoding/base64" 6 "encoding/json" 7 "errors" 8 "fmt" ··· 10 "log/slog" 11 "net/http" 12 "net/url" 13 + "strings" 14 "time" 15 16 "atcr.io/pkg/atproto" ··· 46 } 47 } 48 49 + // ParseJWTExpiry extracts the expiry time from a JWT without verifying the signature 50 + // We trust tokens from the user's PDS, so signature verification isn't needed here 51 + // Manually decodes the JWT payload to avoid algorithm compatibility issues 52 + func ParseJWTExpiry(tokenString string) (time.Time, error) { 53 + // JWT format: header.payload.signature 54 + parts := strings.Split(tokenString, ".") 55 + if len(parts) != 3 { 56 + return time.Time{}, fmt.Errorf("invalid JWT format: expected 3 parts, got %d", len(parts)) 57 + } 58 + 59 + // Decode the payload (second part) 60 + payload, err := base64.RawURLEncoding.DecodeString(parts[1]) 61 + if err != nil { 62 + return time.Time{}, fmt.Errorf("failed to decode JWT payload: %w", err) 63 + } 64 + 65 + // Parse the JSON payload 66 + var claims struct { 67 + Exp int64 `json:"exp"` 68 + } 69 + if err := json.Unmarshal(payload, &claims); err != nil { 70 + return time.Time{}, fmt.Errorf("failed to parse JWT claims: %w", err) 71 + } 72 + 73 + if claims.Exp == 0 { 74 + return time.Time{}, fmt.Errorf("JWT missing exp claim") 75 + } 76 + 77 + return time.Unix(claims.Exp, 0), nil 78 + } 79 + 80 + // buildServiceAuthURL constructs the URL for com.atproto.server.getServiceAuth 81 + func buildServiceAuthURL(pdsEndpoint, holdDID string) string { 82 + // Request 5-minute expiry (PDS may grant less) 83 + // exp must be absolute Unix timestamp, not relative duration 84 + expiryTime := time.Now().Unix() + 300 // 5 minutes from now 85 + return fmt.Sprintf("%s%s?aud=%s&lxm=%s&exp=%d", 86 + pdsEndpoint, 87 + atproto.ServerGetServiceAuth, 88 + url.QueryEscape(holdDID), 89 + url.QueryEscape("com.atproto.repo.getRecord"), 90 + expiryTime, 91 + ) 92 + } 93 + 94 + // parseServiceTokenResponse extracts the token from a service auth response 95 + func parseServiceTokenResponse(resp *http.Response) (string, error) { 96 + defer resp.Body.Close() 97 + 98 + if resp.StatusCode != http.StatusOK { 99 + bodyBytes, _ := io.ReadAll(resp.Body) 100 + return "", fmt.Errorf("service auth failed with status %d: %s", resp.StatusCode, string(bodyBytes)) 101 + } 102 + 103 + var result struct { 104 + Token string `json:"token"` 105 + } 106 + if err := json.NewDecoder(resp.Body).Decode(&result); err != nil { 107 + return "", fmt.Errorf("failed to decode service auth response: %w", err) 108 + } 109 + 110 + if result.Token == "" { 111 + return "", fmt.Errorf("empty token in service auth response") 112 + } 113 + 114 + return result.Token, nil 115 + } 116 + 117 // GetOrFetchServiceToken gets a service token for hold authentication. 118 + // Handles both OAuth/DPoP and app-password authentication based on authMethod. 119 + // Checks cache first, then fetches from PDS if needed. 120 // 121 + // For OAuth: Uses DoWithSession() to hold a per-DID lock through the entire PDS interaction. 122 // This prevents DPoP nonce race conditions when multiple Docker layers upload concurrently. 123 + // 124 + // For app-password: Uses Bearer token authentication without locking (no DPoP complexity). 125 func GetOrFetchServiceToken( 126 ctx context.Context, 127 + authMethod string, 128 + refresher *oauth.Refresher, // Required for OAuth, nil for app-password 129 did, holdDID, pdsEndpoint string, 130 ) (string, error) { 131 // Check cache first to avoid unnecessary PDS calls on every request 132 cachedToken, expiresAt := GetServiceToken(did, holdDID) 133 ··· 135 if cachedToken != "" && time.Until(expiresAt) > 10*time.Second { 136 slog.Debug("Using cached service token", 137 "did", did, 138 + "authMethod", authMethod, 139 "expiresIn", time.Until(expiresAt).Round(time.Second)) 140 return cachedToken, nil 141 } 142 143 + // Cache miss or expiring soon - fetch new service token 144 if cachedToken == "" { 145 + slog.Debug("Service token cache miss, fetching new token", "did", did, "authMethod", authMethod) 146 } else { 147 + slog.Debug("Service token expiring soon, proactively renewing", "did", did, "authMethod", authMethod) 148 + } 149 + 150 + var serviceToken string 151 + var err error 152 + 153 + // Branch based on auth method 154 + if authMethod == AuthMethodOAuth { 155 + serviceToken, err = doOAuthFetch(ctx, refresher, did, holdDID, pdsEndpoint) 156 + // OAuth-specific cleanup: delete stale session on error 157 + if err != nil && refresher != nil { 158 + if delErr := refresher.DeleteSession(ctx, did); delErr != nil { 159 + slog.Warn("Failed to delete stale OAuth session", 160 + "component", "auth/servicetoken", 161 + "did", did, 162 + "error", delErr) 163 + } 164 + } 165 + } else { 166 + serviceToken, err = doAppPasswordFetch(ctx, did, holdDID, pdsEndpoint) 167 + } 168 + 169 + // Unified error handling 170 + if err != nil { 171 + InvalidateServiceToken(did, holdDID) 172 + 173 + var apiErr *atclient.APIError 174 + if errors.As(err, &apiErr) { 175 + slog.Error("Service token request failed", 176 + "component", "auth/servicetoken", 177 + "authMethod", authMethod, 178 + "did", did, 179 + "holdDID", holdDID, 180 + "pdsEndpoint", pdsEndpoint, 181 + "error", err, 182 + "httpStatus", apiErr.StatusCode, 183 + "errorName", apiErr.Name, 184 + "errorMessage", apiErr.Message, 185 + "hint", getErrorHint(apiErr)) 186 + } else { 187 + slog.Error("Service token request failed", 188 + "component", "auth/servicetoken", 189 + "authMethod", authMethod, 190 + "did", did, 191 + "holdDID", holdDID, 192 + "pdsEndpoint", pdsEndpoint, 193 + "error", err) 194 + } 195 + return "", err 196 + } 197 + 198 + // Cache the token (parses JWT to extract actual expiry) 199 + if cacheErr := SetServiceToken(did, holdDID, serviceToken); cacheErr != nil { 200 + slog.Warn("Failed to cache service token", "error", cacheErr, "did", did, "holdDID", holdDID) 201 + } 202 + 203 + slog.Debug("Service token obtained", "did", did, "authMethod", authMethod) 204 + return serviceToken, nil 205 + } 206 + 207 + // doOAuthFetch fetches a service token using OAuth/DPoP authentication. 208 + // Uses DoWithSession() for per-DID locking to prevent DPoP nonce races. 209 + // Returns (token, error) without logging - caller handles error logging. 210 + func doOAuthFetch( 211 + ctx context.Context, 212 + refresher *oauth.Refresher, 213 + did, holdDID, pdsEndpoint string, 214 + ) (string, error) { 215 + if refresher == nil { 216 + return "", fmt.Errorf("refresher is nil (OAuth session required)") 217 } 218 219 var serviceToken string 220 var fetchErr error 221 222 err := refresher.DoWithSession(ctx, did, func(session *indigo_oauth.ClientSession) error { 223 + // Double-check cache after acquiring lock (double-checked locking pattern) 224 cachedToken, expiresAt := GetServiceToken(did, holdDID) 225 if cachedToken != "" && time.Until(expiresAt) > 10*time.Second { 226 slog.Debug("Service token cache hit after lock acquisition", ··· 230 return nil 231 } 232 233 + serviceAuthURL := buildServiceAuthURL(pdsEndpoint, holdDID) 234 235 req, err := http.NewRequestWithContext(ctx, "GET", serviceAuthURL, nil) 236 if err != nil { 237 + fetchErr = fmt.Errorf("failed to create request: %w", err) 238 return fetchErr 239 } 240 241 resp, err := session.DoWithAuth(session.Client, req, "com.atproto.server.getServiceAuth") 242 if err != nil { 243 + fetchErr = fmt.Errorf("OAuth request failed: %w", err) 244 return fetchErr 245 } 246 247 + token, parseErr := parseServiceTokenResponse(resp) 248 + if parseErr != nil { 249 + fetchErr = parseErr 250 return fetchErr 251 } 252 253 + serviceToken = token 254 return nil 255 }) 256 257 if err != nil { 258 if fetchErr != nil { 259 return "", fetchErr 260 } 261 return "", fmt.Errorf("failed to get OAuth session: %w", err) 262 } 263 264 return serviceToken, nil 265 } 266 267 + // doAppPasswordFetch fetches a service token using Bearer token authentication. 268 + // Returns (token, error) without logging - caller handles error logging. 269 + func doAppPasswordFetch( 270 ctx context.Context, 271 did, holdDID, pdsEndpoint string, 272 ) (string, error) { 273 accessToken, ok := GetGlobalTokenCache().Get(did) 274 if !ok { 275 return "", fmt.Errorf("no app-password access token available for DID %s", did) 276 } 277 278 + serviceAuthURL := buildServiceAuthURL(pdsEndpoint, holdDID) 279 280 req, err := http.NewRequestWithContext(ctx, "GET", serviceAuthURL, nil) 281 if err != nil { 282 + return "", fmt.Errorf("failed to create request: %w", err) 283 } 284 285 req.Header.Set("Authorization", "Bearer "+accessToken) 286 287 resp, err := http.DefaultClient.Do(req) 288 if err != nil { 289 + return "", fmt.Errorf("request failed: %w", err) 290 } 291 292 if resp.StatusCode == http.StatusUnauthorized { 293 + resp.Body.Close() 294 + // Clear stale app-password token 295 GetGlobalTokenCache().Delete(did) 296 return "", fmt.Errorf("app-password authentication failed: token expired or invalid") 297 } 298 299 + return parseServiceTokenResponse(resp) 300 }

+6 -6

pkg/auth/servicetoken_test.go

··· 11 holdDID := "did:web:hold.example.com" 12 pdsEndpoint := "https://pds.example.com" 13 14 - // Test with nil refresher - should return error 15 - _, err := GetOrFetchServiceToken(ctx, nil, did, holdDID, pdsEndpoint) 16 if err == nil { 17 - t.Error("Expected error when refresher is nil") 18 } 19 20 - expectedErrMsg := "refresher is nil" 21 - if err.Error() != "refresher is nil (OAuth session required for service tokens)" { 22 - t.Errorf("Expected error message to contain %q, got %q", expectedErrMsg, err.Error()) 23 } 24 } 25

··· 11 holdDID := "did:web:hold.example.com" 12 pdsEndpoint := "https://pds.example.com" 13 14 + // Test with nil refresher and OAuth auth method - should return error 15 + _, err := GetOrFetchServiceToken(ctx, AuthMethodOAuth, nil, did, holdDID, pdsEndpoint) 16 if err == nil { 17 + t.Error("Expected error when refresher is nil for OAuth") 18 } 19 20 + expectedErrMsg := "refresher is nil (OAuth session required)" 21 + if err.Error() != expectedErrMsg { 22 + t.Errorf("Expected error message %q, got %q", expectedErrMsg, err.Error()) 23 } 24 } 25

+784

pkg/auth/usercontext.go

···

··· 1 + // Package auth provides UserContext for managing authenticated user state 2 + // throughout request handling in the AppView. 3 + package auth 4 + 5 + import ( 6 + "context" 7 + "database/sql" 8 + "encoding/json" 9 + "fmt" 10 + "io" 11 + "log/slog" 12 + "net/http" 13 + "sync" 14 + "time" 15 + 16 + "atcr.io/pkg/appview/db" 17 + "atcr.io/pkg/atproto" 18 + "atcr.io/pkg/auth/oauth" 19 + ) 20 + 21 + // Auth method constants (duplicated from token package to avoid import cycle) 22 + const ( 23 + AuthMethodOAuth = "oauth" 24 + AuthMethodAppPassword = "app_password" 25 + ) 26 + 27 + // RequestAction represents the type of registry operation 28 + type RequestAction int 29 + 30 + const ( 31 + ActionUnknown RequestAction = iota 32 + ActionPull // GET/HEAD - reading from registry 33 + ActionPush // PUT/POST/DELETE - writing to registry 34 + ActionInspect // Metadata operations only 35 + ) 36 + 37 + func (a RequestAction) String() string { 38 + switch a { 39 + case ActionPull: 40 + return "pull" 41 + case ActionPush: 42 + return "push" 43 + case ActionInspect: 44 + return "inspect" 45 + default: 46 + return "unknown" 47 + } 48 + } 49 + 50 + // HoldPermissions describes what the user can do on a specific hold 51 + type HoldPermissions struct { 52 + HoldDID string // Hold being checked 53 + IsOwner bool // User is captain of this hold 54 + IsCrew bool // User is a crew member 55 + IsPublic bool // Hold allows public reads 56 + CanRead bool // Computed: can user read blobs? 57 + CanWrite bool // Computed: can user write blobs? 58 + CanAdmin bool // Computed: can user manage crew? 59 + Permissions []string // Raw permissions from crew record 60 + } 61 + 62 + // contextKey is unexported to prevent collisions 63 + type contextKey struct{} 64 + 65 + // userContextKey is the context key for UserContext 66 + var userContextKey = contextKey{} 67 + 68 + // userSetupCache tracks which users have had their profile/crew setup ensured 69 + var userSetupCache sync.Map // did -> time.Time 70 + 71 + // userSetupTTL is how long to cache user setup status (1 hour) 72 + const userSetupTTL = 1 * time.Hour 73 + 74 + // Dependencies bundles services needed by UserContext 75 + type Dependencies struct { 76 + Refresher *oauth.Refresher 77 + Authorizer HoldAuthorizer 78 + DefaultHoldDID string // AppView's default hold DID 79 + } 80 + 81 + // UserContext encapsulates authenticated user state for a request. 82 + // Built early in the middleware chain and available throughout request processing. 83 + // 84 + // Two-phase initialization: 85 + // 1. Middleware phase: Identity is set (DID, authMethod, action) 86 + // 2. Repository() phase: Target is set via SetTarget() (owner, repo, holdDID) 87 + type UserContext struct { 88 + // === User Identity (set in middleware) === 89 + DID string // User's DID (empty if unauthenticated) 90 + Handle string // User's handle (may be empty) 91 + PDSEndpoint string // User's PDS endpoint 92 + AuthMethod string // "oauth", "app_password", or "" 93 + IsAuthenticated bool 94 + 95 + // === Request Info === 96 + Action RequestAction 97 + HTTPMethod string 98 + 99 + // === Target Info (set by SetTarget) === 100 + TargetOwnerDID string // whose repo is being accessed 101 + TargetOwnerHandle string 102 + TargetOwnerPDS string 103 + TargetRepo string // image name (e.g., "quickslice") 104 + TargetHoldDID string // hold where blobs live/will live 105 + 106 + // === Dependencies (injected) === 107 + refresher *oauth.Refresher 108 + authorizer HoldAuthorizer 109 + defaultHoldDID string 110 + 111 + // === Cached State (lazy-loaded) === 112 + serviceTokens sync.Map // holdDID -> *serviceTokenEntry 113 + permissions sync.Map // holdDID -> *HoldPermissions 114 + pdsResolved bool 115 + pdsResolveErr error 116 + mu sync.Mutex // protects PDS resolution 117 + atprotoClient *atproto.Client 118 + atprotoClientOnce sync.Once 119 + } 120 + 121 + // FromContext retrieves UserContext from context. 122 + // Returns nil if not present (unauthenticated or before middleware). 123 + func FromContext(ctx context.Context) *UserContext { 124 + uc, _ := ctx.Value(userContextKey).(*UserContext) 125 + return uc 126 + } 127 + 128 + // WithUserContext adds UserContext to context 129 + func WithUserContext(ctx context.Context, uc *UserContext) context.Context { 130 + return context.WithValue(ctx, userContextKey, uc) 131 + } 132 + 133 + // NewUserContext creates a UserContext from extracted JWT claims. 134 + // The deps parameter provides access to services needed for lazy operations. 135 + func NewUserContext(did, authMethod, httpMethod string, deps *Dependencies) *UserContext { 136 + action := ActionUnknown 137 + switch httpMethod { 138 + case "GET", "HEAD": 139 + action = ActionPull 140 + case "PUT", "POST", "PATCH", "DELETE": 141 + action = ActionPush 142 + } 143 + 144 + var refresher *oauth.Refresher 145 + var authorizer HoldAuthorizer 146 + var defaultHoldDID string 147 + 148 + if deps != nil { 149 + refresher = deps.Refresher 150 + authorizer = deps.Authorizer 151 + defaultHoldDID = deps.DefaultHoldDID 152 + } 153 + 154 + return &UserContext{ 155 + DID: did, 156 + AuthMethod: authMethod, 157 + IsAuthenticated: did != "", 158 + Action: action, 159 + HTTPMethod: httpMethod, 160 + refresher: refresher, 161 + authorizer: authorizer, 162 + defaultHoldDID: defaultHoldDID, 163 + } 164 + } 165 + 166 + // SetPDS sets the user's PDS endpoint directly, bypassing network resolution. 167 + // Use when PDS is already known (e.g., from previous resolution or client). 168 + func (uc *UserContext) SetPDS(handle, pdsEndpoint string) { 169 + uc.mu.Lock() 170 + defer uc.mu.Unlock() 171 + uc.Handle = handle 172 + uc.PDSEndpoint = pdsEndpoint 173 + uc.pdsResolved = true 174 + uc.pdsResolveErr = nil 175 + } 176 + 177 + // SetTarget sets the target repository information. 178 + // Called in Repository() after resolving the owner identity. 179 + func (uc *UserContext) SetTarget(ownerDID, ownerHandle, ownerPDS, repo, holdDID string) { 180 + uc.TargetOwnerDID = ownerDID 181 + uc.TargetOwnerHandle = ownerHandle 182 + uc.TargetOwnerPDS = ownerPDS 183 + uc.TargetRepo = repo 184 + uc.TargetHoldDID = holdDID 185 + } 186 + 187 + // ResolvePDS resolves the user's PDS endpoint (lazy, cached). 188 + // Safe to call multiple times; resolution happens once. 189 + func (uc *UserContext) ResolvePDS(ctx context.Context) error { 190 + if !uc.IsAuthenticated { 191 + return nil // Nothing to resolve for anonymous users 192 + } 193 + 194 + uc.mu.Lock() 195 + defer uc.mu.Unlock() 196 + 197 + if uc.pdsResolved { 198 + return uc.pdsResolveErr 199 + } 200 + 201 + _, handle, pds, err := atproto.ResolveIdentity(ctx, uc.DID) 202 + if err != nil { 203 + uc.pdsResolveErr = err 204 + uc.pdsResolved = true 205 + return err 206 + } 207 + 208 + uc.Handle = handle 209 + uc.PDSEndpoint = pds 210 + uc.pdsResolved = true 211 + return nil 212 + } 213 + 214 + // GetServiceToken returns a service token for the target hold. 215 + // Uses internal caching with sync.Once per holdDID. 216 + // Requires target to be set via SetTarget(). 217 + func (uc *UserContext) GetServiceToken(ctx context.Context) (string, error) { 218 + if uc.TargetHoldDID == "" { 219 + return "", fmt.Errorf("target hold not set (call SetTarget first)") 220 + } 221 + return uc.GetServiceTokenForHold(ctx, uc.TargetHoldDID) 222 + } 223 + 224 + // GetServiceTokenForHold returns a service token for an arbitrary hold. 225 + // Uses internal caching with sync.Once per holdDID. 226 + func (uc *UserContext) GetServiceTokenForHold(ctx context.Context, holdDID string) (string, error) { 227 + if !uc.IsAuthenticated { 228 + return "", fmt.Errorf("cannot get service token: user not authenticated") 229 + } 230 + 231 + // Ensure PDS is resolved 232 + if err := uc.ResolvePDS(ctx); err != nil { 233 + return "", fmt.Errorf("failed to resolve PDS: %w", err) 234 + } 235 + 236 + // Load or create cache entry 237 + entryVal, _ := uc.serviceTokens.LoadOrStore(holdDID, &serviceTokenEntry{}) 238 + entry := entryVal.(*serviceTokenEntry) 239 + 240 + entry.once.Do(func() { 241 + slog.Debug("Fetching service token", 242 + "component", "auth/context", 243 + "userDID", uc.DID, 244 + "holdDID", holdDID, 245 + "authMethod", uc.AuthMethod) 246 + 247 + // Use unified service token function (handles both OAuth and app-password) 248 + serviceToken, err := GetOrFetchServiceToken( 249 + ctx, uc.AuthMethod, uc.refresher, uc.DID, holdDID, uc.PDSEndpoint, 250 + ) 251 + 252 + entry.token = serviceToken 253 + entry.err = err 254 + if err == nil { 255 + // Parse JWT to get expiry 256 + expiry, parseErr := ParseJWTExpiry(serviceToken) 257 + if parseErr == nil { 258 + entry.expiresAt = expiry.Add(-10 * time.Second) // Safety margin 259 + } else { 260 + entry.expiresAt = time.Now().Add(45 * time.Second) // Default fallback 261 + } 262 + } 263 + }) 264 + 265 + return entry.token, entry.err 266 + } 267 + 268 + // CanRead checks if user can read blobs from target hold. 269 + // - Public hold: any user (even anonymous) 270 + // - Private hold: owner OR crew with blob:read/blob:write 271 + func (uc *UserContext) CanRead(ctx context.Context) (bool, error) { 272 + if uc.TargetHoldDID == "" { 273 + return false, fmt.Errorf("target hold not set (call SetTarget first)") 274 + } 275 + 276 + if uc.authorizer == nil { 277 + return false, fmt.Errorf("authorizer not configured") 278 + } 279 + 280 + return uc.authorizer.CheckReadAccess(ctx, uc.TargetHoldDID, uc.DID) 281 + } 282 + 283 + // CanWrite checks if user can write blobs to target hold. 284 + // - Must be authenticated 285 + // - Must be owner OR crew with blob:write 286 + func (uc *UserContext) CanWrite(ctx context.Context) (bool, error) { 287 + if uc.TargetHoldDID == "" { 288 + return false, fmt.Errorf("target hold not set (call SetTarget first)") 289 + } 290 + 291 + if !uc.IsAuthenticated { 292 + return false, nil // Anonymous writes never allowed 293 + } 294 + 295 + if uc.authorizer == nil { 296 + return false, fmt.Errorf("authorizer not configured") 297 + } 298 + 299 + return uc.authorizer.CheckWriteAccess(ctx, uc.TargetHoldDID, uc.DID) 300 + } 301 + 302 + // GetPermissions returns detailed permissions for target hold. 303 + // Lazy-loaded and cached per holdDID. 304 + func (uc *UserContext) GetPermissions(ctx context.Context) (*HoldPermissions, error) { 305 + if uc.TargetHoldDID == "" { 306 + return nil, fmt.Errorf("target hold not set (call SetTarget first)") 307 + } 308 + return uc.GetPermissionsForHold(ctx, uc.TargetHoldDID) 309 + } 310 + 311 + // GetPermissionsForHold returns detailed permissions for an arbitrary hold. 312 + // Lazy-loaded and cached per holdDID. 313 + func (uc *UserContext) GetPermissionsForHold(ctx context.Context, holdDID string) (*HoldPermissions, error) { 314 + // Check cache first 315 + if cached, ok := uc.permissions.Load(holdDID); ok { 316 + return cached.(*HoldPermissions), nil 317 + } 318 + 319 + if uc.authorizer == nil { 320 + return nil, fmt.Errorf("authorizer not configured") 321 + } 322 + 323 + // Build permissions by querying authorizer 324 + captain, err := uc.authorizer.GetCaptainRecord(ctx, holdDID) 325 + if err != nil { 326 + return nil, fmt.Errorf("failed to get captain record: %w", err) 327 + } 328 + 329 + perms := &HoldPermissions{ 330 + HoldDID: holdDID, 331 + IsPublic: captain.Public, 332 + IsOwner: uc.DID != "" && uc.DID == captain.Owner, 333 + } 334 + 335 + // Check crew membership if authenticated and not owner 336 + if uc.IsAuthenticated && !perms.IsOwner { 337 + isCrew, crewErr := uc.authorizer.IsCrewMember(ctx, holdDID, uc.DID) 338 + if crewErr != nil { 339 + slog.Warn("Failed to check crew membership", 340 + "component", "auth/context", 341 + "holdDID", holdDID, 342 + "userDID", uc.DID, 343 + "error", crewErr) 344 + } 345 + perms.IsCrew = isCrew 346 + } 347 + 348 + // Compute permissions based on role 349 + if perms.IsOwner { 350 + perms.CanRead = true 351 + perms.CanWrite = true 352 + perms.CanAdmin = true 353 + } else if perms.IsCrew { 354 + // Crew members can read and write (for now, all crew have blob:write) 355 + // TODO: Check specific permissions from crew record 356 + perms.CanRead = true 357 + perms.CanWrite = true 358 + perms.CanAdmin = false 359 + } else if perms.IsPublic { 360 + // Public hold - anyone can read 361 + perms.CanRead = true 362 + perms.CanWrite = false 363 + perms.CanAdmin = false 364 + } else if uc.IsAuthenticated { 365 + // Private hold, authenticated non-crew 366 + // Per permission matrix: cannot read private holds 367 + perms.CanRead = false 368 + perms.CanWrite = false 369 + perms.CanAdmin = false 370 + } else { 371 + // Anonymous on private hold 372 + perms.CanRead = false 373 + perms.CanWrite = false 374 + perms.CanAdmin = false 375 + } 376 + 377 + // Cache and return 378 + uc.permissions.Store(holdDID, perms) 379 + return perms, nil 380 + } 381 + 382 + // IsCrewMember checks if user is crew of target hold. 383 + func (uc *UserContext) IsCrewMember(ctx context.Context) (bool, error) { 384 + if uc.TargetHoldDID == "" { 385 + return false, fmt.Errorf("target hold not set (call SetTarget first)") 386 + } 387 + 388 + if !uc.IsAuthenticated { 389 + return false, nil 390 + } 391 + 392 + if uc.authorizer == nil { 393 + return false, fmt.Errorf("authorizer not configured") 394 + } 395 + 396 + return uc.authorizer.IsCrewMember(ctx, uc.TargetHoldDID, uc.DID) 397 + } 398 + 399 + // EnsureCrewMembership is a standalone function to register as crew on a hold. 400 + // Use this when you don't have a UserContext (e.g., OAuth callback). 401 + // This is best-effort and logs errors without failing. 402 + func EnsureCrewMembership(ctx context.Context, did, pdsEndpoint string, refresher *oauth.Refresher, holdDID string) { 403 + if holdDID == "" { 404 + return 405 + } 406 + 407 + // Only works with OAuth (refresher required) - app passwords can't get service tokens 408 + if refresher == nil { 409 + slog.Debug("skipping crew registration - no OAuth refresher (app password flow)", "holdDID", holdDID) 410 + return 411 + } 412 + 413 + // Normalize URL to DID if needed 414 + if !atproto.IsDID(holdDID) { 415 + holdDID = atproto.ResolveHoldDIDFromURL(holdDID) 416 + if holdDID == "" { 417 + slog.Warn("failed to resolve hold DID", "defaultHold", holdDID) 418 + return 419 + } 420 + } 421 + 422 + // Get service token for the hold (OAuth only at this point) 423 + serviceToken, err := GetOrFetchServiceToken(ctx, AuthMethodOAuth, refresher, did, holdDID, pdsEndpoint) 424 + if err != nil { 425 + slog.Warn("failed to get service token", "holdDID", holdDID, "error", err) 426 + return 427 + } 428 + 429 + // Resolve hold DID to HTTP endpoint 430 + holdEndpoint := atproto.ResolveHoldURL(holdDID) 431 + if holdEndpoint == "" { 432 + slog.Warn("failed to resolve hold endpoint", "holdDID", holdDID) 433 + return 434 + } 435 + 436 + // Call requestCrew endpoint 437 + if err := requestCrewMembership(ctx, holdEndpoint, serviceToken); err != nil { 438 + slog.Warn("failed to request crew membership", "holdDID", holdDID, "error", err) 439 + return 440 + } 441 + 442 + slog.Info("successfully registered as crew member", "holdDID", holdDID, "userDID", did) 443 + } 444 + 445 + // ensureCrewMembership attempts to register as crew on target hold (UserContext method). 446 + // Called automatically during first push; idempotent. 447 + // This is a best-effort operation and logs errors without failing. 448 + // Requires SetTarget() to be called first. 449 + func (uc *UserContext) ensureCrewMembership(ctx context.Context) error { 450 + if uc.TargetHoldDID == "" { 451 + return fmt.Errorf("target hold not set (call SetTarget first)") 452 + } 453 + return uc.EnsureCrewMembershipForHold(ctx, uc.TargetHoldDID) 454 + } 455 + 456 + // EnsureCrewMembershipForHold attempts to register as crew on the specified hold. 457 + // This is the core implementation that can be called with any holdDID. 458 + // Called automatically during first push; idempotent. 459 + // This is a best-effort operation and logs errors without failing. 460 + func (uc *UserContext) EnsureCrewMembershipForHold(ctx context.Context, holdDID string) error { 461 + if holdDID == "" { 462 + return nil // Nothing to do 463 + } 464 + 465 + // Normalize URL to DID if needed 466 + if !atproto.IsDID(holdDID) { 467 + holdDID = atproto.ResolveHoldDIDFromURL(holdDID) 468 + if holdDID == "" { 469 + return fmt.Errorf("failed to resolve hold DID from URL") 470 + } 471 + } 472 + 473 + if !uc.IsAuthenticated { 474 + return fmt.Errorf("cannot register as crew: user not authenticated") 475 + } 476 + 477 + if uc.refresher == nil { 478 + return fmt.Errorf("cannot register as crew: OAuth session required") 479 + } 480 + 481 + // Get service token for the hold 482 + serviceToken, err := uc.GetServiceTokenForHold(ctx, holdDID) 483 + if err != nil { 484 + return fmt.Errorf("failed to get service token: %w", err) 485 + } 486 + 487 + // Resolve hold DID to HTTP endpoint 488 + holdEndpoint := atproto.ResolveHoldURL(holdDID) 489 + if holdEndpoint == "" { 490 + return fmt.Errorf("failed to resolve hold endpoint for %s", holdDID) 491 + } 492 + 493 + // Call requestCrew endpoint 494 + return requestCrewMembership(ctx, holdEndpoint, serviceToken) 495 + } 496 + 497 + // requestCrewMembership calls the hold's requestCrew endpoint 498 + // The endpoint handles all authorization and duplicate checking internally 499 + func requestCrewMembership(ctx context.Context, holdEndpoint, serviceToken string) error { 500 + // Add 5 second timeout to prevent hanging on offline holds 501 + ctx, cancel := context.WithTimeout(ctx, 5*time.Second) 502 + defer cancel() 503 + 504 + url := fmt.Sprintf("%s%s", holdEndpoint, atproto.HoldRequestCrew) 505 + 506 + req, err := http.NewRequestWithContext(ctx, "POST", url, nil) 507 + if err != nil { 508 + return err 509 + } 510 + 511 + req.Header.Set("Authorization", "Bearer "+serviceToken) 512 + req.Header.Set("Content-Type", "application/json") 513 + 514 + resp, err := http.DefaultClient.Do(req) 515 + if err != nil { 516 + return err 517 + } 518 + defer resp.Body.Close() 519 + 520 + if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated { 521 + // Read response body to capture actual error message from hold 522 + body, readErr := io.ReadAll(resp.Body) 523 + if readErr != nil { 524 + return fmt.Errorf("requestCrew failed with status %d (failed to read error body: %w)", resp.StatusCode, readErr) 525 + } 526 + return fmt.Errorf("requestCrew failed with status %d: %s", resp.StatusCode, string(body)) 527 + } 528 + 529 + return nil 530 + } 531 + 532 + // GetUserClient returns an authenticated ATProto client for the user's own PDS. 533 + // Used for profile operations (reading/writing to user's own repo). 534 + // Returns nil if not authenticated or PDS not resolved. 535 + func (uc *UserContext) GetUserClient() *atproto.Client { 536 + if !uc.IsAuthenticated || uc.PDSEndpoint == "" { 537 + return nil 538 + } 539 + 540 + if uc.AuthMethod == AuthMethodOAuth && uc.refresher != nil { 541 + return atproto.NewClientWithSessionProvider(uc.PDSEndpoint, uc.DID, uc.refresher) 542 + } else if uc.AuthMethod == AuthMethodAppPassword { 543 + accessToken, _ := GetGlobalTokenCache().Get(uc.DID) 544 + return atproto.NewClient(uc.PDSEndpoint, uc.DID, accessToken) 545 + } 546 + 547 + return nil 548 + } 549 + 550 + // EnsureUserSetup ensures the user has a profile and crew membership. 551 + // Called once per user (cached for userSetupTTL). Runs in background - does not block. 552 + // Safe to call on every request. 553 + func (uc *UserContext) EnsureUserSetup() { 554 + if !uc.IsAuthenticated || uc.DID == "" { 555 + return 556 + } 557 + 558 + // Check cache - skip if recently set up 559 + if lastSetup, ok := userSetupCache.Load(uc.DID); ok { 560 + if time.Since(lastSetup.(time.Time)) < userSetupTTL { 561 + return 562 + } 563 + } 564 + 565 + // Run in background to avoid blocking requests 566 + go func() { 567 + bgCtx := context.Background() 568 + 569 + // 1. Ensure profile exists 570 + if client := uc.GetUserClient(); client != nil { 571 + uc.ensureProfile(bgCtx, client) 572 + } 573 + 574 + // 2. Ensure crew membership on default hold 575 + if uc.defaultHoldDID != "" { 576 + EnsureCrewMembership(bgCtx, uc.DID, uc.PDSEndpoint, uc.refresher, uc.defaultHoldDID) 577 + } 578 + 579 + // Mark as set up 580 + userSetupCache.Store(uc.DID, time.Now()) 581 + slog.Debug("User setup complete", 582 + "component", "auth/usercontext", 583 + "did", uc.DID, 584 + "defaultHoldDID", uc.defaultHoldDID) 585 + }() 586 + } 587 + 588 + // ensureProfile creates sailor profile if it doesn't exist. 589 + // Inline implementation to avoid circular import with storage package. 590 + func (uc *UserContext) ensureProfile(ctx context.Context, client *atproto.Client) { 591 + // Check if profile already exists 592 + profile, err := client.GetRecord(ctx, atproto.SailorProfileCollection, "self") 593 + if err == nil && profile != nil { 594 + return // Already exists 595 + } 596 + 597 + // Create profile with default hold 598 + normalizedDID := "" 599 + if uc.defaultHoldDID != "" { 600 + normalizedDID = atproto.ResolveHoldDIDFromURL(uc.defaultHoldDID) 601 + } 602 + 603 + newProfile := atproto.NewSailorProfileRecord(normalizedDID) 604 + if _, err := client.PutRecord(ctx, atproto.SailorProfileCollection, "self", newProfile); err != nil { 605 + slog.Warn("Failed to create sailor profile", 606 + "component", "auth/usercontext", 607 + "did", uc.DID, 608 + "error", err) 609 + return 610 + } 611 + 612 + slog.Debug("Created sailor profile", 613 + "component", "auth/usercontext", 614 + "did", uc.DID, 615 + "defaultHold", normalizedDID) 616 + } 617 + 618 + // GetATProtoClient returns a cached ATProto client for the target owner's PDS. 619 + // Authenticated if user is owner, otherwise anonymous. 620 + // Cached per-request (uses sync.Once). 621 + func (uc *UserContext) GetATProtoClient() *atproto.Client { 622 + uc.atprotoClientOnce.Do(func() { 623 + if uc.TargetOwnerPDS == "" { 624 + return 625 + } 626 + 627 + // If puller is owner and authenticated, use authenticated client 628 + if uc.DID == uc.TargetOwnerDID && uc.IsAuthenticated { 629 + if uc.AuthMethod == AuthMethodOAuth && uc.refresher != nil { 630 + uc.atprotoClient = atproto.NewClientWithSessionProvider(uc.TargetOwnerPDS, uc.TargetOwnerDID, uc.refresher) 631 + return 632 + } else if uc.AuthMethod == AuthMethodAppPassword { 633 + accessToken, _ := GetGlobalTokenCache().Get(uc.TargetOwnerDID) 634 + uc.atprotoClient = atproto.NewClient(uc.TargetOwnerPDS, uc.TargetOwnerDID, accessToken) 635 + return 636 + } 637 + } 638 + 639 + // Anonymous client for reads 640 + uc.atprotoClient = atproto.NewClient(uc.TargetOwnerPDS, uc.TargetOwnerDID, "") 641 + }) 642 + return uc.atprotoClient 643 + } 644 + 645 + // ResolveHoldDID finds the hold for the target repository. 646 + // - Pull: uses database lookup (historical from manifest) 647 + // - Push: uses discovery (sailor profile → default) 648 + // 649 + // Must be called after SetTarget() is called with at least TargetOwnerDID and TargetRepo set. 650 + // Updates TargetHoldDID on success. 651 + func (uc *UserContext) ResolveHoldDID(ctx context.Context, sqlDB *sql.DB) (string, error) { 652 + if uc.TargetOwnerDID == "" { 653 + return "", fmt.Errorf("target owner not set") 654 + } 655 + 656 + var holdDID string 657 + var err error 658 + 659 + switch uc.Action { 660 + case ActionPull: 661 + // For pulls, look up historical hold from database 662 + holdDID, err = uc.resolveHoldForPull(ctx, sqlDB) 663 + case ActionPush: 664 + // For pushes, discover hold from owner's profile 665 + holdDID, err = uc.resolveHoldForPush(ctx) 666 + default: 667 + // Default to push discovery 668 + holdDID, err = uc.resolveHoldForPush(ctx) 669 + } 670 + 671 + if err != nil { 672 + return "", err 673 + } 674 + 675 + if holdDID == "" { 676 + return "", fmt.Errorf("no hold DID found for %s/%s", uc.TargetOwnerDID, uc.TargetRepo) 677 + } 678 + 679 + uc.TargetHoldDID = holdDID 680 + return holdDID, nil 681 + } 682 + 683 + // resolveHoldForPull looks up the hold from the database (historical reference) 684 + func (uc *UserContext) resolveHoldForPull(ctx context.Context, sqlDB *sql.DB) (string, error) { 685 + // If no database is available, fall back to discovery 686 + if sqlDB == nil { 687 + return uc.resolveHoldForPush(ctx) 688 + } 689 + 690 + // Try database lookup first 691 + holdDID, err := db.GetLatestHoldDIDForRepo(sqlDB, uc.TargetOwnerDID, uc.TargetRepo) 692 + if err != nil { 693 + slog.Debug("Database lookup failed, falling back to discovery", 694 + "component", "auth/context", 695 + "ownerDID", uc.TargetOwnerDID, 696 + "repo", uc.TargetRepo, 697 + "error", err) 698 + return uc.resolveHoldForPush(ctx) 699 + } 700 + 701 + if holdDID != "" { 702 + return holdDID, nil 703 + } 704 + 705 + // No historical hold found, fall back to discovery 706 + return uc.resolveHoldForPush(ctx) 707 + } 708 + 709 + // resolveHoldForPush discovers hold from owner's sailor profile or default 710 + func (uc *UserContext) resolveHoldForPush(ctx context.Context) (string, error) { 711 + // Create anonymous client to query owner's profile 712 + client := atproto.NewClient(uc.TargetOwnerPDS, uc.TargetOwnerDID, "") 713 + 714 + // Try to get owner's sailor profile 715 + record, err := client.GetRecord(ctx, atproto.SailorProfileCollection, "self") 716 + if err == nil && record != nil { 717 + var profile atproto.SailorProfileRecord 718 + if jsonErr := json.Unmarshal(record.Value, &profile); jsonErr == nil { 719 + if profile.DefaultHold != "" { 720 + // Normalize to DID if needed 721 + holdDID := profile.DefaultHold 722 + if !atproto.IsDID(holdDID) { 723 + holdDID = atproto.ResolveHoldDIDFromURL(holdDID) 724 + } 725 + slog.Debug("Found hold from owner's profile", 726 + "component", "auth/context", 727 + "ownerDID", uc.TargetOwnerDID, 728 + "holdDID", holdDID) 729 + return holdDID, nil 730 + } 731 + } 732 + } 733 + 734 + // Fall back to default hold 735 + if uc.defaultHoldDID != "" { 736 + slog.Debug("Using default hold", 737 + "component", "auth/context", 738 + "ownerDID", uc.TargetOwnerDID, 739 + "defaultHoldDID", uc.defaultHoldDID) 740 + return uc.defaultHoldDID, nil 741 + } 742 + 743 + return "", fmt.Errorf("no hold configured for %s and no default hold set", uc.TargetOwnerDID) 744 + } 745 + 746 + // ============================================================================= 747 + // Test Helper Methods 748 + // ============================================================================= 749 + // These methods are designed to make UserContext testable by allowing tests 750 + // to bypass network-dependent code paths (PDS resolution, OAuth token fetching). 751 + // Only use these in tests - they are not intended for production use. 752 + 753 + // SetPDSForTest sets the PDS endpoint directly, bypassing ResolvePDS network calls. 754 + // This allows tests to skip DID resolution which would make network requests. 755 + // Deprecated: Use SetPDS instead. 756 + func (uc *UserContext) SetPDSForTest(handle, pdsEndpoint string) { 757 + uc.SetPDS(handle, pdsEndpoint) 758 + } 759 + 760 + // SetServiceTokenForTest pre-populates a service token for the given holdDID, 761 + // bypassing the sync.Once and OAuth/app-password fetching logic. 762 + // The token will appear as if it was already fetched and cached. 763 + func (uc *UserContext) SetServiceTokenForTest(holdDID, token string) { 764 + entry := &serviceTokenEntry{ 765 + token: token, 766 + expiresAt: time.Now().Add(5 * time.Minute), 767 + err: nil, 768 + } 769 + // Mark the sync.Once as done so real fetch won't happen 770 + entry.once.Do(func() {}) 771 + uc.serviceTokens.Store(holdDID, entry) 772 + } 773 + 774 + // SetAuthorizerForTest sets the authorizer for permission checks. 775 + // Use with MockHoldAuthorizer to control CanRead/CanWrite behavior in tests. 776 + func (uc *UserContext) SetAuthorizerForTest(authorizer HoldAuthorizer) { 777 + uc.authorizer = authorizer 778 + } 779 + 780 + // SetDefaultHoldDIDForTest sets the default hold DID for tests. 781 + // This is used as fallback when resolving hold for push operations. 782 + func (uc *UserContext) SetDefaultHoldDIDForTest(holdDID string) { 783 + uc.defaultHoldDID = holdDID 784 + }

Compare changes