auth-bundle-1 Phase 0: extract internal/auth/ from middleware package

Bundle 1 / Phase 0: pure refactor splitting auth surface out of internal/api/middleware so Bundle 2 (OIDC + sessions) and the broader RBAC primitive (roles, permissions, scoped grants) have a clean home. Moved to internal/auth/: NamedAPIKey, HashAPIKey, AuthConfig, NewAuthWithNamedKeys, NewAuth, UserKey, AdminKey, GetUser, IsAdmin. Added testfixtures.go (WithActor / WithAdmin / WithActorAdmin) so handler tests don't construct context manually. Stayed in internal/api/middleware/: RequestID, Logging, NewLogging, Recovery, RateLimitConfig, NewRateLimiter (now imports auth.GetUser for per-user keying per audit Category C), CORSConfig, NewCORS, ContentType, CORS, GetRequestID, responseWriter, Chain, audit middleware (now imports auth.GetUser). Updated 22 caller files across cmd/, internal/api/handler/, internal/api/middleware/, internal/mcp/. Existing m008_admin_gate_test.go now scans for auth.IsAdmin( substring; Phase 3 will further evolve to track auth.RequirePermission. Behavior unchanged: all handler / middleware / service / connector / cmd / mcp tests pass with no test-logic edits, only import-path renames. Phase 0 exit criteria: internal/auth/ exists with 6 files; middleware.go went 575 -> 422 lines (auth-related ~150 lines moved out); grep -rE 'middleware\.(GetUser|IsAdmin|UserKey|AdminKey|NamedAPIKey|HashAPIKey|NewAuth)' returns 0 hits; context.WithValue(.*middleware.UserKey/AdminKey) returns 0 hits; go vet ./... clean; go test -short ./... green across all packages tested. Branch: dev/auth-bundle-1. Per cowork/auth-bundle-1-prompt.md, do not merge to master without (1) make verify green, (2) >= 2 external testers confirm, (3) >= 90% coverage on internal/auth/ in .github/coverage-thresholds.yml.
2026-06-07 15:51:30 +00:00 · 2026-05-09 15:51:31 +00:00
parent 71ebccb8ba
commit 99a012e3be
32 changed files with 397 additions and 283 deletions
@@ -21,6 +21,7 @@ import (
 	"github.com/certctl-io/certctl/internal/api/handler"
 	"github.com/certctl-io/certctl/internal/api/middleware"
 	"github.com/certctl-io/certctl/internal/api/router"
+	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/config"
 	discoveryawssm "github.com/certctl-io/certctl/internal/connector/discovery/awssm"
 	discoveryazurekv "github.com/certctl-io/certctl/internal/connector/discovery/azurekv"
@@ -1483,13 +1484,13 @@ func main() {
 	// Named keys come from CERTCTL_API_KEYS_NAMED (preferred). For backward
 	// compatibility CERTCTL_AUTH_SECRET is synthesized into legacy-key-N
 	// entries with Admin=false.
-	var namedKeys []middleware.NamedAPIKey
+	var namedKeys []auth.NamedAPIKey
 	if config.AuthType(cfg.Auth.Type) != config.AuthTypeNone {
-		// Translate typed config.NamedAPIKey -> middleware.NamedAPIKey. The
+		// Translate typed config.NamedAPIKey -> auth.NamedAPIKey. The
 		// two structs are field-compatible but live in different packages to
 		// preserve the config→middleware dependency direction.
 		for _, nk := range cfg.Auth.NamedKeys {
-			namedKeys = append(namedKeys, middleware.NamedAPIKey{
+			namedKeys = append(namedKeys, auth.NamedAPIKey{
 				Name:  nk.Name,
 				Key:   nk.Key,
 				Admin: nk.Admin,
@@ -1506,7 +1507,7 @@ func main() {
 				if p == "" {
 					continue
 				}
-				namedKeys = append(namedKeys, middleware.NamedAPIKey{
+				namedKeys = append(namedKeys, auth.NamedAPIKey{
 					Name:  fmt.Sprintf("legacy-key-%d", idx),
 					Key:   p,
 					Admin: false,
@@ -1519,7 +1520,7 @@ func main() {
 			}
 		}
 	}
-	authMiddleware := middleware.NewAuthWithNamedKeys(namedKeys)
+	authMiddleware := auth.NewAuthWithNamedKeys(namedKeys)
 	corsMiddleware := middleware.NewCORS(middleware.CORSConfig{
 		AllowedOrigins: cfg.CORS.AllowedOrigins,
 	})
@@ -12,6 +12,7 @@ import (

 	"github.com/certctl-io/certctl/internal/api/middleware"
 	"github.com/certctl-io/certctl/internal/api/router"
+	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/config"
 	"github.com/certctl-io/certctl/internal/service"
 )
@@ -44,7 +45,7 @@ func TestMain_HealthEndpointBypassesAuth(t *testing.T) {
 	})

 	// Build the handler chain the same way main.go does
-	authMiddleware := middleware.NewAuthWithNamedKeys([]middleware.NamedAPIKey{
+	authMiddleware := auth.NewAuthWithNamedKeys([]auth.NamedAPIKey{
 		{Name: "test", Key: "test-secret-key"},
 	})

@@ -159,7 +160,7 @@ func TestMain_AuthMiddlewareRejectsUnauthorized(t *testing.T) {
 	})

 	// Wrap with auth middleware
-	authMiddleware := middleware.NewAuthWithNamedKeys([]middleware.NamedAPIKey{
+	authMiddleware := auth.NewAuthWithNamedKeys([]auth.NamedAPIKey{
 		{Name: "test", Key: "test-secret-key"},
 	})

@@ -187,7 +188,7 @@ func TestMain_AuthMiddlewareAllowsWithValidKey(t *testing.T) {
 	})

 	// Wrap with auth middleware
-	authMiddleware := middleware.NewAuthWithNamedKeys([]middleware.NamedAPIKey{
+	authMiddleware := auth.NewAuthWithNamedKeys([]auth.NamedAPIKey{
 		{Name: "test", Key: testKey},
 	})

@@ -460,7 +461,7 @@ func TestMain_AuthNoneMode(t *testing.T) {

 	// Wrap with auth middleware in "none" mode
 	// auth=none equivalent: empty named-keys list is a no-op pass-through.
-	authMiddleware := middleware.NewAuthWithNamedKeys(nil)
+	authMiddleware := auth.NewAuthWithNamedKeys(nil)

 	chainedHandler := middleware.Chain(protectedHandler, authMiddleware)