Extract DCR resolver into pkg/auth/dcr#5198
Draft
tgrunnagle wants to merge 2 commits intodcr-3c_issue_5185from
Draft
Extract DCR resolver into pkg/auth/dcr#5198tgrunnagle wants to merge 2 commits intodcr-3c_issue_5185from
tgrunnagle wants to merge 2 commits intodcr-3c_issue_5185from
Conversation
Sub-issue 4a of #5145. Creates the shared pkg/auth/dcr package and migrates the embedded authserver to consume it. The CLI flow migration (pkg/auth/discovery::PerformOAuthFlow) is left to a follow-up so this slice stays under the project's PR-size limit. Files moved (renamed via git mv so the diff shows as renames, not deletions + additions): pkg/authserver/runner/dcr.go -> pkg/auth/dcr/resolver.go pkg/authserver/runner/dcr_store.go -> pkg/auth/dcr/store.go pkg/authserver/runner/dcr_test.go -> pkg/auth/dcr/resolver_test.go pkg/authserver/runner/dcr_store_test.go -> pkg/auth/dcr/store_test.go Public API surface (renamed from runner-package internals because they now cross a package boundary): Resolution (was DCRResolution) Key (was DCRKey, alias to storage.DCRKey unchanged) CredentialStore (was DCRCredentialStore) ResolveCredentials (was resolveDCRCredentials) NeedsDCR (was needsDCR) ConsumeResolution (was consumeResolution) ApplyResolutionToOAuth2Config (was applyResolutionToOAuth2Config) LogStepError (was logDCRStepError) NewInMemoryStore (was NewInMemoryDCRCredentialStore) NewStorageBackedStore (was newStorageBackedStore) Names follow the pkg/auth/dcr.* form so the linter's stuttering check (revive: dcr.DCRResolution would stutter) passes and the surface reads as ordinary package API. resolveSecret was duplicated into the dcr package because pkg/auth/dcr must stay profile-agnostic and cannot reach back into pkg/authserver/ runner. The duplication is intentional and called out in a comment; future consolidation can move it into a shared helper if a third caller appears. Acceptance criteria status (#5145): AC#1 (pkg/auth/dcr exists, exports a stateful resolver, consumed by both call sites): partially met — package exists and is consumed by EmbeddedAuthServer. CLI flow migration is sub-issue 4b. AC#2 (stateless RFC 7591 helpers in pkg/oauthproto): met (already satisfied before this PR). AC#3 (no direct oauthproto.RegisterClientDynamically calls outside pkg/auth/dcr): not yet met — pkg/auth/discovery still calls it. Resolved by sub-issue 4b. AC#4 (review-property behaviours apply to CLI flow): not yet met — same dependency on 4b. Verified via task lint-fix (0 issues), go test -race ./pkg/auth/dcr/... ./pkg/authserver/... (all pass), and task license-check (clean).
Fixed issues from review of df84256 (Extract DCR resolver into pkg/auth/dcr) for issue #5145 sub-issue 4a: - HIGH: Stale identifier references in buildUpstreamConfigs doc comment in pkg/authserver/runner/embeddedauthserver.go named the pre-rename symbols (consumeResolution, applyResolutionToOAuth2Config, resolveDCRCredentials, logDCRStepError). Updated the comment to use the new public names (dcr.ConsumeResolution, dcr.ApplyResolutionToOAuth2Config, dcr.ResolveCredentials, dcr.LogStepError). Re-grepped the runner package; no other survivors. - HIGH: pkg/auth/dcr's package doc claimed "profile-agnostic" while the public API takes embedded-authserver types directly. Revised the package doc comment in pkg/auth/dcr/resolver.go to call out the current coupling explicitly and labelled the profile-agnostic framing as a target state for sub-issue 4b rather than the current API shape. Designing a profile-neutral input type with only one consumer in hand would be speculative; the right design moment is when 4b lands the CLI flow as the second consumer. - MEDIUM: DCRStore() accessor doc comment in pkg/authserver/runner/embeddedauthserver.go referenced the dropped "runner-DCRCredentialStore adapter" name. Replaced with "dcr.CredentialStore adapter". - MEDIUM: resolveSecret is duplicated across pkg/authserver/runner and pkg/auth/dcr. Added a parallel TestResolveSecret / TestResolveSecretWithEnvVar suite in pkg/auth/dcr/secret_test.go that mirrors the runner-package twin's observable contract, so any future drift between the two copies will fail one of the two tests at CI time. Lifting into a shared helper is deferred until 4b lands a third call site. - MEDIUM: Process-global singleflight was undocumented at the package surface. Added a "Concurrency" section to the package doc comment in pkg/auth/dcr/resolver.go. Extended the dcrFlight var doc with a cross-consumer caveat that names the "third consumer with colliding redirect URI" failure mode. Extracted the flight-key construction into a new flightKeyOf(Key) string helper so the canonical key shape is inspectable rather than buried in a string-concatenation literal. - MEDIUM: endpointsFromMetadata dereferenced metadata without a defensive nil check. Added the guard immediately after the fetchErr check in pkg/auth/dcr/resolver.go::endpointsFromMetadata with an error message that names the cross-package contract being defended. Documented the oauthproto contract on the function's doc comment so the assumption is visible at the call site. Verified via task lint-fix (0 issues), task license-check (clean), and go test -count=1 -race ./pkg/auth/dcr/... ./pkg/authserver/... (all pass).
github-actions
Bot
added
size/L
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## dcr-3c_issue_5185 #5198 +/- ##
====================================================
Coverage ? 67.60%
====================================================
Files ? 601
Lines ? 61436
Branches ? 0
====================================================
Hits ? 41535
Misses ? 16771
Partials ? 3130 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DRAFT - not ready for review
Summary
pkg/authserver/runner/dcr.goandpkg/auth/discovery::PerformOAuthFlow) into a single sharedpkg/auth/dcrpackage, so review-derived behaviours (S256 PKCE gate, RFC 7591 §3.2.1 expiry refetch, redirect refusal, panic recovery, singleflight) cannot diverge between the embedded authserver and the CLI flow as future consumers land. The full migration is too large for a single PR, so this slice (sub-issue 4a) does the package extraction and migrates the embedded authserver only.pkg/authserver/runnerinto a newpkg/auth/dcrpackage and migratesEmbeddedAuthServerto consume it. File moves usegit mvso the diff renders as renames rather than delete+add. Public symbols are renamed to drop the redundantDCRprefix on packagisation (e.g.,DCRResolution→dcr.Resolution,DCRCredentialStore→dcr.CredentialStore,resolveDCRCredentials→dcr.ResolveCredentials). Adds a parallelTestResolveSecretsuite mirroring the runner-package twin so any future drift between the tworesolveSecretcopies fails CI.Part of #5145 — does not close it. Acceptance criteria #1, #3 and #4 still depend on sub-issue 4b (CLI flow migration in
pkg/auth/discovery::PerformOAuthFlow) before the issue can close.Stacking
This branch is stacked on PR #5196 (
dcr-3c_issue_5185— "Wire persistent DCRCredentialStore into EmbeddedAuthServer"), which is itself stacked on PRs #5186 and #5195. The earlier commits on this branch (c0fed523through781a0b97) implement sub-issues #5183 / #5184 / #5185 (the persistent DCR store and Redis backend) and are shown for context only — review against PR #5196 once it merges, or review the two commits unique to this branch in isolation:df84256fExtract DCR resolver intopkg/auth/dcr633ed9edAddress code review feedbackType of change
Test plan
task test) —go test -count=1 -race ./pkg/auth/dcr/... ./pkg/authserver/...all passtask lint-fix) — 0 issuestask license-check) — cleanChanges
pkg/auth/dcr/resolver.gopkg/authserver/runner/dcr.go; public symbols renamed to drop theDCRprefix; package doc updated with a# Concurrencysection documenting the process-global singleflight; newflightKeyOf(Key)helper makes the canonical key shape inspectable;endpointsFromMetadatagains a defensive nil check and anoauthprotocontract note.pkg/auth/dcr/store.gopkg/authserver/runner/dcr_store.go; constructors renamed (NewInMemoryStore,NewStorageBackedStore); type renamed toCredentialStore.pkg/auth/dcr/resolver_test.gopkg/authserver/runner/dcr_test.go; updated for new package boundary and renamed symbols.pkg/auth/dcr/store_test.gopkg/authserver/runner/dcr_store_test.go; updated for new package boundary.pkg/auth/dcr/secret_test.goresolveSecretsuite that mirrors the runner-package twin's observable contract so future drift between the two duplicated helpers fails CI on at least one side.pkg/authserver/runner/embeddedauthserver.gopkg/auth/dcr; doc comments onbuildUpstreamConfigsandDCRStore()updated to use the new public names.pkg/authserver/runner/embeddedauthserver_test.goDoes this introduce a user-facing change?
No. This is an internal refactor. The embedded authserver's externally-observable DCR behaviour (registration, caching, error reporting, structured logging, expiry refetch, S256 gating) is unchanged.
Implementation plan
Approved implementation plan
Sub-issue 4a of #5145 — extract the resolver into
pkg/auth/dcrand migrate the embedded authserver only. Defer thepkg/auth/discovery::PerformOAuthFlowmigration to sub-issue 4b so this slice stays under the 400-line / 10-file PR-size limit.Profile-neutral input shape: the package's API still takes embedded-authserver types directly. Designing a profile-neutral input type with only one consumer in hand would be speculative; the right design moment is when 4b lands the CLI flow as the second consumer. The package doc comment in
pkg/auth/dcr/resolver.gocalls this coupling out explicitly and labels the profile-agnostic framing as a target state for 4b rather than the current API shape.Duplication of
resolveSecret: deliberately duplicated acrosspkg/authserver/runnerandpkg/auth/dcrbecause the DCR package must stay reachable-from-runner-but-not-back. Promoting to a shared helper is deferred until 4b lands a third call site. Drift between the two copies is guarded by parallel test suites with identical observable contracts.Special notes for reviewers
git mvso the diff renders as renames. The percentage similarity ingit log --stat --followreflects that the bulk of the move is mechanical and the substantive deltas are confined to (a) the package doc rewrite at the top ofresolver.go, (b) theflightKeyOfextraction and singleflight comment, (c) theendpointsFromMetadatanil guard, and (d) the import/symbol rename sweep inembeddedauthserver.go.dcrFlightvar. The cross-consumer caveat ("third consumer with colliding redirect URI" failure mode) is named explicitly so the next migration cannot silently re-introduce a collision.df84256f):pkg/auth/dcrexists, exports a stateful resolver, consumed by both call sites): partially met — package exists and is consumed byEmbeddedAuthServer. CLI flow migration is sub-issue 4b.pkg/oauthproto): met (already satisfied before this PR).oauthproto.RegisterClientDynamicallycalls outsidepkg/auth/dcr): not yet met —pkg/auth/discoverystill calls it. Resolved by sub-issue 4b.