26381184923

Committed 25 May 2026 03:11AM UTC coverage: 65.853% (+0.04%) from 65.817%

Build # 26381184923

Build Type

push

github

Committed by

web-flow

Commit Message

Add CIMD storage decorator for embedded AS (#5343)

* Add CIMD storage decorator for embedded AS (Phase 2 PR 2)

The CIMDStorageDecorator wraps storage.Storage and intercepts GetClient
calls for HTTPS client_id values. When the embedded AS receives a
client_id like https://vscode.dev/oauth/client-metadata.json, the
decorator fetches the CIMD document via pkg/oauthproto/cimd, validates
it, builds a fosite.Client, caches the result with a configurable
fallback TTL, and deduplicates concurrent fetches for the same URL via
singleflight.

Key design decisions:
- Embeds storage.Storage so all ~30 other methods delegate transparently
- Unwrap() exposes the underlying storage for the DCRCredentialStore and
  RedisStorage type assertions in server_impl.go to reach the concrete
  backend through the decorator layer
- LoopbackClient wraps clients with loopback redirect URIs for RFC 8252
  §7.3 dynamic port matching
- NewCIMDStorageDecorator returns base unchanged when enabled=false (no
  allocation); fails loudly for invalid cacheMaxSize

runLegacyMigration extracted from newServer to keep the function under
the gocyclo limit after the Unwrap additions; both the DCRCredentialStore
assertion and the RedisStorage migration now use the same Unwrap pattern.

Incorporates all changes from PR 1 (pkg/oauthproto/cimd sub-package,
networking.FetchJSON with WithMaxResponseSize, IsPrivateIP reuse).

Relates to #4825

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Address Copilot review comments on CIMD storage decorator

cimd_decorator.go:
- Fix docstring: TTL is fixed (not from Cache-Control); Cache-Control
  parsing is a documented follow-up
- Force token_endpoint_auth_method to "none": the embedded AS only
  advertises "none" in discovery, so accepting other values creates an
  inconsistent client; always override regardless of what the document says
- Fix LoopbackClient dropping TokenEndpointAuthMethod: was passing
  defaultClient (no auth me... (continued)

Coverage Stats

130 of 143 new or added lines in 3 files covered. (90.91%)

9 existing lines in 3 files now uncovered.

65286 of 99139 relevant lines covered (65.85%)

62.94 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

86.81

/pkg/authserver/server_impl.go

stacklok / toolhive / 26381184923

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous