Extract DCR resolver into pkg/auth/dcr#5198
Draft
tgrunnagle wants to merge 1 commit intomainfrom
Draft
Conversation
github-actions
Bot
added
size/L
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #5198 +/- ##
==========================================
+ Coverage 67.86% 67.91% +0.05%
==========================================
Files 610 610
Lines 62522 62543 +21
==========================================
+ Hits 42431 42478 +47
+ Misses 16910 16880 -30
- Partials 3181 3185 +4 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
tgrunnagle
force-pushed
the
dcr-3c_issue_5185
branch
from
781a0b9 to
565fade
Compare
This was referenced May 7, 2026
19 tasks
tgrunnagle
force-pushed
the
dcr-3c_issue_5185
branch
from
609e7d3 to
bf6f89a
Compare
Sub-issue 4a of #5145. Creates the shared pkg/auth/dcr package and migrates the embedded authserver to consume it. The CLI flow migration (pkg/auth/discovery::PerformOAuthFlow) is left to sub-issue 4b (#5219) so this slice stays under the project's PR-size limit. Files moved (renamed via git mv so the diff shows as renames, not deletions + additions): pkg/authserver/runner/dcr.go -> pkg/auth/dcr/resolver.go pkg/authserver/runner/dcr_store.go -> pkg/auth/dcr/store.go pkg/authserver/runner/dcr_test.go -> pkg/auth/dcr/resolver_test.go pkg/authserver/runner/dcr_store_test.go -> pkg/auth/dcr/store_test.go pkg/authserver/runner/dcr_testhelpers_test.go -> pkg/auth/dcr/testhelpers_test.go Public API surface (renamed from runner-package internals because they now cross a package boundary): Resolution (was DCRResolution) Key (was DCRKey, alias to storage.DCRKey unchanged) CredentialStore (was the package-private dcrResolutionCache) ResolveCredentials (was resolveDCRCredentials) NeedsDCR (was needsDCR) ConsumeResolution (was consumeResolution) ApplyResolutionToOAuth2Config (was applyResolutionToOAuth2Config) LogStepError (was logDCRStepError) NewInMemoryStore (new convenience constructor wrapping storage.NewMemoryStorage; mirrors the pattern the per-test newMemoryDCRStore helpers use) NewStorageBackedStore (was the package-private newStorageBackedStore) SanitizeErrorForLog (was sanitizeErrorForLog; promoted to exported because the deferred-cleanup log path in pkg/authserver/runner needs it) Names follow the pkg/auth/dcr.* form so the linter's stuttering check (revive: dcr.DCRResolution would stutter) passes and the surface reads as ordinary package API. resolveSecret was duplicated into the dcr package because pkg/auth/dcr must stay profile-agnostic and cannot reach back into pkg/authserver/runner. The duplication is intentional and called out in a comment; future consolidation can move it into a shared helper if a third caller appears. A parallel TestResolveSecret / TestResolveSecretWithEnvVar suite in pkg/auth/dcr/secret_test.go mirrors the runner-package twin's observable contract so any future drift between the two copies fails CI on at least one side. Review-feedback bits applied alongside the move: - Package doc comment in pkg/auth/dcr/resolver.go now documents the process-global singleflight in a Concurrency section, and labels the profile-agnostic framing as a target state for sub-issue 4b rather than as a description of the current API shape (the package's public API still takes embedded-authserver types). - dcrFlight var doc gains a cross-consumer caveat naming the "third consumer with colliding redirect URI" failure mode. - Flight-key construction extracted into flightKeyOf(Key) string so the canonical key shape is inspectable rather than buried in a string-concatenation literal. - endpointsFromMetadata gains a defensive nil check; the function's doc comment names the oauthproto contract being defended. - newMemoryDCRStore test helper is duplicated across the two packages because Go test helpers cannot be shared without exporting them; the duplication is documented at both sites. Acceptance criteria status (#5145): AC#1 (pkg/auth/dcr exists, exports a stateful resolver, consumed by both call sites): partially met — package exists and is consumed by EmbeddedAuthServer. CLI flow migration is sub-issue 4b (#5219). AC#2 (stateless RFC 7591 helpers in pkg/oauthproto): met (already satisfied before this PR). AC#3 (no direct oauthproto.RegisterClientDynamically calls outside pkg/auth/dcr): not yet met — pkg/auth/discovery still calls it. Resolved by sub-issue 4b (#5219). AC#4 (review-property behaviours apply to CLI flow): not yet met — same dependency on 4b (#5219). Closes #5220. Verified via task lint-fix (0 issues), task license-check (clean), and go test -count=1 -race ./pkg/auth/dcr/... ./pkg/authserver/... (all pass).
tgrunnagle
force-pushed
the
dcr-4a_issue_5145
branch
from
633ed9e to
81b9e02
Compare
github-actions
Bot
added
size/L
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DRAFT - not ready for review
Summary
pkg/authserver/runner/dcr.goandpkg/auth/discovery::PerformOAuthFlow) into a single sharedpkg/auth/dcrpackage, so review-derived behaviours (S256 PKCE gate, RFC 7591 §3.2.1 expiry refetch, redirect refusal, panic recovery, singleflight) cannot diverge between the embedded authserver and the CLI flow as future consumers land. The full migration is too large for a single PR, so this slice (sub-issue 4a) does the package extraction and migrates the embedded authserver only.pkg/authserver/runnerinto a newpkg/auth/dcrpackage and migratesEmbeddedAuthServerto consume it. File moves usegit mvso the diff renders as renames rather than delete+add. Public symbols are renamed to drop the redundantDCRprefix on packagisation (e.g.,DCRResolution→dcr.Resolution,DCRCredentialStore→dcr.CredentialStore,resolveDCRCredentials→dcr.ResolveCredentials). Adds a parallelTestResolveSecretsuite mirroring the runner-package twin so any future drift between the tworesolveSecretcopies fails CI.Closes #5220 (sub-issue 4a). Part of #5145 — does not close the parent. Sibling sub-issue #5219 (4b — CLI flow migration in
pkg/auth/discovery::PerformOAuthFlow) closes #5145 when it lands; AC#1, AC#3, and AC#4 of the parent depend on it.Stacking
This branch is stacked on PR #5196 (
dcr-3c_issue_5185— "Wire persistent DCRCredentialStore into EmbeddedAuthServer"), which is itself stacked on PRs #5186 and #5195. The earlier commits on this branch (c0fed523through781a0b97) implement sub-issues #5183 / #5184 / #5185 (the persistent DCR store and Redis backend) and are shown for context only — review against PR #5196 once it merges, or review the two commits unique to this branch in isolation:df84256fExtract DCR resolver intopkg/auth/dcr633ed9edAddress code review feedbackType of change
Test plan
task test) —go test -count=1 -race ./pkg/auth/dcr/... ./pkg/authserver/...all passtask lint-fix) — 0 issuestask license-check) — cleanChanges
pkg/auth/dcr/resolver.gopkg/authserver/runner/dcr.go; public symbols renamed to drop theDCRprefix; package doc updated with a# Concurrencysection documenting the process-global singleflight; newflightKeyOf(Key)helper makes the canonical key shape inspectable;endpointsFromMetadatagains a defensive nil check and anoauthprotocontract note.pkg/auth/dcr/store.gopkg/authserver/runner/dcr_store.go; constructors renamed (NewInMemoryStore,NewStorageBackedStore); type renamed toCredentialStore.pkg/auth/dcr/resolver_test.gopkg/authserver/runner/dcr_test.go; updated for new package boundary and renamed symbols.pkg/auth/dcr/store_test.gopkg/authserver/runner/dcr_store_test.go; updated for new package boundary.pkg/auth/dcr/secret_test.goresolveSecretsuite that mirrors the runner-package twin's observable contract so future drift between the two duplicated helpers fails CI on at least one side.pkg/authserver/runner/embeddedauthserver.gopkg/auth/dcr; doc comments onbuildUpstreamConfigsandDCRStore()updated to use the new public names.pkg/authserver/runner/embeddedauthserver_test.goDoes this introduce a user-facing change?
No. This is an internal refactor. The embedded authserver's externally-observable DCR behaviour (registration, caching, error reporting, structured logging, expiry refetch, S256 gating) is unchanged.
Implementation plan
Approved implementation plan
Sub-issue 4a (#5220) of #5145 — extract the resolver into
pkg/auth/dcrand migrate the embedded authserver only. Defer thepkg/auth/discovery::PerformOAuthFlowmigration to sub-issue 4b (#5219) so this slice stays under the 400-line / 10-file PR-size limit.Profile-neutral input shape: the package's API still takes embedded-authserver types directly. Designing a profile-neutral input type with only one consumer in hand would be speculative; the right design moment is when 4b lands the CLI flow as the second consumer. The package doc comment in
pkg/auth/dcr/resolver.gocalls this coupling out explicitly and labels the profile-agnostic framing as a target state for 4b rather than the current API shape.Duplication of
resolveSecret: deliberately duplicated acrosspkg/authserver/runnerandpkg/auth/dcrbecause the DCR package must stay reachable-from-runner-but-not-back. Promoting to a shared helper is deferred until 4b lands a third call site. Drift between the two copies is guarded by parallel test suites with identical observable contracts.Special notes for reviewers
git mvso the diff renders as renames. The percentage similarity ingit log --stat --followreflects that the bulk of the move is mechanical and the substantive deltas are confined to (a) the package doc rewrite at the top ofresolver.go, (b) theflightKeyOfextraction and singleflight comment, (c) theendpointsFromMetadatanil guard, and (d) the import/symbol rename sweep inembeddedauthserver.go.dcrFlightvar. The cross-consumer caveat ("third consumer with colliding redirect URI" failure mode) is named explicitly so the next migration cannot silently re-introduce a collision.df84256f):pkg/auth/dcrexists, exports a stateful resolver, consumed by both call sites): partially met — package exists and is consumed byEmbeddedAuthServer. CLI flow migration is sub-issue 4b (Migrate CLI OAuth flow to pkg/auth/dcr resolver #5219).pkg/oauthproto): met (already satisfied before this PR).oauthproto.RegisterClientDynamicallycalls outsidepkg/auth/dcr): not yet met —pkg/auth/discoverystill calls it. Resolved by sub-issue 4b (Migrate CLI OAuth flow to pkg/auth/dcr resolver #5219).