stacklok / toolhive / 26381184923
66%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 738
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.853% (+0.04%) from 65.817%
26381184923

push

github

web-flow 
Add CIMD storage decorator for embedded AS (#5343)

* Add CIMD storage decorator for embedded AS (Phase 2 PR 2)

The CIMDStorageDecorator wraps storage.Storage and intercepts GetClient
calls for HTTPS client_id values. When the embedded AS receives a
client_id like https://vscode.dev/oauth/client-metadata.json, the
decorator fetches the CIMD document via pkg/oauthproto/cimd, validates
it, builds a fosite.Client, caches the result with a configurable
fallback TTL, and deduplicates concurrent fetches for the same URL via
singleflight.

Key design decisions:
- Embeds storage.Storage so all ~30 other methods delegate transparently
- Unwrap() exposes the underlying storage for the DCRCredentialStore and
  RedisStorage type assertions in server_impl.go to reach the concrete
  backend through the decorator layer
- LoopbackClient wraps clients with loopback redirect URIs for RFC 8252
  §7.3 dynamic port matching
- NewCIMDStorageDecorator returns base unchanged when enabled=false (no
  allocation); fails loudly for invalid cacheMaxSize

runLegacyMigration extracted from newServer to keep the function under
the gocyclo limit after the Unwrap additions; both the DCRCredentialStore
assertion and the RedisStorage migration now use the same Unwrap pattern.

Incorporates all changes from PR 1 (pkg/oauthproto/cimd sub-package,
networking.FetchJSON with WithMaxResponseSize, IsPrivateIP reuse).

Relates to #4825

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Address Copilot review comments on CIMD storage decorator

cimd_decorator.go:
- Fix docstring: TTL is fixed (not from Cache-Control); Cache-Control
  parsing is a documented follow-up
- Force token_endpoint_auth_method to "none": the embedded AS only
  advertises "none" in discovery, so accepting other values creates an
  inconsistent client; always override regardless of what the document says
- Fix LoopbackClient dropping TokenEndpointAuthMethod: was passing
  defaultClient (no auth me... (continued)

130 of 143 new or added lines in 3 files covered. (90.91%)

9 existing lines in 3 files now uncovered.

65286 of 99139 relevant lines covered (65.85%)

62.94 hits per line

Uncovered Changes

Lines Coverage File
7
93.86
 pkg/authserver/storage/cimd_decorator.go
6
86.81
 -1.21% pkg/authserver/server_impl.go

Coverage Regressions

Lines Coverage File
6
76.15
 -5.5% pkg/secrets/keyring/keyctl_linux.go
2
73.63
 -0.64% pkg/runner/config.go
1
86.81
 -1.21% pkg/authserver/server_impl.go
Jobs
ID Job ID Ran Files Coverage
1 26381184923.1 738
65.85
 GitHub Action Run
Source Files on build 26381184923