feat(auth): add GET /v1/me/can capability probe and OIDC token-refresh logging#129
Merged
Conversation
…h logging Closes RFC 0003 open questions 5 & 6. - Add `GET /v1/me/can?capability=<name>` server endpoint that returns whether the resolved identity holds the requested capability. Unknown capability strings return 400 BAD_REQUEST rather than silently degrading to `allowed=false`, surfacing typos as client errors. Recognised capabilities are a closed set: `cache.read`, `cache.write`, `cache.admin`. - Add `Identity.HasCapability(name string)` to `pkg/httpauth/policy.go` as the single authoritative scope-to-capability check shared by both the server handler and the SDK. - Add `Client.Can(ctx, capability)` SDK method mirroring the new endpoint. Denial returns `(false, nil)`; spelling mistakes return `(false, ErrBadRequest)`, making the typo visible at the call site. - Add `loggingTokenSource` in `pkg/client/oidc_logging.go` wrapping the `oauth2.TokenSource` used by `WithOIDCClientCredentials`. Emits one `"oidc token rotated"` slog Info line per real rotation (expiry change); cached returns stay silent. Holds a `*Client` reference so `WithLogger` applied after `WithOIDCClientCredentials` still reaches the log surface. - Extend `openapi.yaml` with the `/v1/me/can` operation and `CanResponse` schema. - Add 9 new tests: 3 handler tests (`me_test.go`), 3 SDK tests (`client_test.go`), 3 unit tests (`oidc_logging_test.go`). - Update `docs/client-sdk.md` and `CHANGELOG.md` with new sections for capability probing and token-refresh visibility. - Fix `Makefile` `pre-commit` target to activate the pyenv virtualenv before running hooks.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes RFC 0003 open questions 5 & 6.
Add
GET /v1/me/can?capability=<name>server endpoint that returns whether the resolved identity holds the requested capability. Unknown capability strings return 400 BAD_REQUEST rather than silently degrading toallowed=false, surfacing typos as client errors. Recognised capabilities are a closed set:cache.read,cache.write,cache.admin.Add
Identity.HasCapability(name string)topkg/httpauth/policy.goas the single authoritative scope-to-capability check shared by both the server handler and the SDK.Add
Client.Can(ctx, capability)SDK method mirroring the new endpoint. Denial returns(false, nil); spelling mistakes return(false, ErrBadRequest), making the typo visible at the call site.Add
loggingTokenSourceinpkg/client/oidc_logging.gowrapping theoauth2.TokenSourceused byWithOIDCClientCredentials. Emits one"oidc token rotated"slog Info line per real rotation (expiry change); cached returns stay silent. Holds a*Clientreference soWithLoggerapplied afterWithOIDCClientCredentialsstill reaches the log surface.Extend
openapi.yamlwith the/v1/me/canoperation andCanResponseschema.Add 9 new tests: 3 handler tests (
me_test.go), 3 SDK tests (client_test.go), 3 unit tests (oidc_logging_test.go).Update
docs/client-sdk.mdandCHANGELOG.mdwith new sections for capability probing and token-refresh visibility.Fix
Makefilepre-committarget to activate the pyenv virtualenv before running hooks.