sharang
4c46d673fb
Replaces the M5.1-skeleton handler set with the M4.2 spec from
IMPLEMENTATION_PLAN.md:
Endpoints (authoritative shape in openapi.yaml):
POST /v1/tenants
GET /v1/tenants/{id}
GET /v1/tenants/by-slug/{slug}
POST /v1/tenants/{id}/activate
POST /v1/tenants/{id}/cancel
GET /v1/entitlements?tenant_id=...
GET /v1/catalog
POST /v1/catalog/request
POST /v1/catalog/trial-request
POST /v1/api-keys returns plaintext ONCE
GET /v1/api-keys?tenant_id=...
DELETE /v1/api-keys/{id}
POST /v1/internal/api-keys/verify always 200; valid: bool
POST /v1/audit
GET /v1/audit?{tenant_id,product,actor_id,action,since,until,limit,cursor}
Architecture:
internal/store/store.go Store interface (CRUD + audit + ping)
internal/store/memory.go in-process impl, used when DATABASE_URL
is empty (seed acme tenant, no migrations)
internal/store/postgres.go pgxpool impl against the M4.1 schema
internal/server/server.go router + healthz/readyz
internal/server/{tenants,catalog,apikeys,audit}.go
per-concern handlers (≤250 LoC each)
internal/server/helpers.go writeJSON/writeError/error mapping/log mw
openapi.yaml 3.1 spec; openapi_test.go is the contract gate
API keys:
Plaintext format 'bp_<22-char base64>'. Prefix bp_<8> stored for UI.
Hash is argon2id(salt, time=1, mem=64MB, threads=4, len=32) encoded as
'argon2id|<salt-b64>|<hash-b64>'. Format-tagged so we can rotate
parameters without re-keying. Verify is constant-time.
Store selection:
cmd/server picks Postgres when DATABASE_URL is set, otherwise Memory.
Both implementations are exercised by the same eachStore test harness —
parity is enforced.
Audit:
Every state-changing endpoint emits via s.emitAudit() (fire-and-forget).
audit_log uses ON DELETE SET NULL on tenant_id so forensic history
outlives tenant deletes (per M4.1 schema).
Routing constraint:
Go 1.22 ServeMux can't disambiguate /v1/tenants/{id}/products from
/v1/tenants/by-slug/{slug=products}. Per-tenant subresources moved to
query-param top-level paths: /v1/entitlements?tenant_id=… and
/v1/api-keys?tenant_id=….
Tests:
Every endpoint exercised against both Memory and Postgres via the
eachStore harness. Includes happy paths, validation errors, conflicts,
404s, auto-audit-emit assertion. testcontainers-go for the postgres
harness; gated by -short.
TestOpenAPISpec is the contract gate: every documented operation must
resolve against the router. (kin-openapi v0.138.0.)
Refs: M4.2
109 lines
3.0 KiB
Go
109 lines
3.0 KiB
Go
package server
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"log/slog"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"gitea.meghsakha.com/platform/tenant-registry/internal/store"
|
|
)
|
|
|
|
// writeJSON serializes body as JSON with the supplied status. It ignores
|
|
// encode errors — by the time we're encoding we've already committed to a
|
|
// response status, so a half-written body is the least-bad outcome.
|
|
func writeJSON(w http.ResponseWriter, code int, body any) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(code)
|
|
_ = json.NewEncoder(w).Encode(body)
|
|
}
|
|
|
|
// writeError emits the platform-standard error envelope.
|
|
func writeError(w http.ResponseWriter, code int, kind, msg string) {
|
|
writeJSON(w, code, errorEnvelope{Error: kind, Message: msg})
|
|
}
|
|
|
|
type errorEnvelope struct {
|
|
Error string `json:"error"`
|
|
Message string `json:"message,omitempty"`
|
|
}
|
|
|
|
// mapStoreError converts a store-layer sentinel into the right HTTP
|
|
// envelope. Returns true if the error was handled.
|
|
func mapStoreError(w http.ResponseWriter, err error) bool {
|
|
switch {
|
|
case errors.Is(err, store.ErrNotFound):
|
|
writeError(w, http.StatusNotFound, "not_found", "resource does not exist")
|
|
case errors.Is(err, store.ErrConflict):
|
|
writeError(w, http.StatusConflict, "conflict", "resource already exists")
|
|
case errors.Is(err, store.ErrInvalidInput):
|
|
writeError(w, http.StatusBadRequest, "invalid_input", "input failed validation")
|
|
default:
|
|
return false
|
|
}
|
|
return true
|
|
}
|
|
|
|
// decodeJSON unmarshals r.Body into dst. Returns true on success; if false,
|
|
// the response is already written.
|
|
func decodeJSON(w http.ResponseWriter, r *http.Request, dst any) bool {
|
|
if err := json.NewDecoder(r.Body).Decode(dst); err != nil {
|
|
writeError(w, http.StatusBadRequest, "invalid_body", "request body is not valid JSON")
|
|
return false
|
|
}
|
|
return true
|
|
}
|
|
|
|
// logRequest is the access-log middleware: one structured line per request.
|
|
func logRequest(log *slog.Logger) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
start := time.Now()
|
|
rr := &statusRecorder{ResponseWriter: w, code: 200}
|
|
next.ServeHTTP(rr, r)
|
|
log.Info("http",
|
|
"method", r.Method,
|
|
"path", r.URL.Path,
|
|
"status", rr.code,
|
|
"duration_ms", time.Since(start).Milliseconds(),
|
|
"remote", clientIP(r),
|
|
)
|
|
})
|
|
}
|
|
}
|
|
|
|
type statusRecorder struct {
|
|
http.ResponseWriter
|
|
code int
|
|
}
|
|
|
|
func (s *statusRecorder) WriteHeader(c int) {
|
|
s.code = c
|
|
s.ResponseWriter.WriteHeader(c)
|
|
}
|
|
|
|
func clientIP(r *http.Request) string {
|
|
if fwd := r.Header.Get("X-Forwarded-For"); fwd != "" {
|
|
if i := strings.IndexByte(fwd, ','); i > 0 {
|
|
return strings.TrimSpace(fwd[:i])
|
|
}
|
|
return strings.TrimSpace(fwd)
|
|
}
|
|
if host, _, ok := splitHostPort(r.RemoteAddr); ok {
|
|
return host
|
|
}
|
|
return r.RemoteAddr
|
|
}
|
|
|
|
// splitHostPort is a port-tolerant version of net.SplitHostPort that doesn't
|
|
// error on missing port.
|
|
func splitHostPort(s string) (string, string, bool) {
|
|
i := strings.LastIndexByte(s, ':')
|
|
if i < 0 {
|
|
return s, "", false
|
|
}
|
|
return s[:i], s[i+1:], true
|
|
}
|